This document describes the security policy for Primo CMS.

1. When you find a vulnerability related to Primo CMS, report them via email to security@palacms.com. Do not send the information anywhere else. Note that issues section is not the place for vulnerabilities.

2. The Primo team reviews the report in one full week and gets back to you with instructions on how to proceed.

3. You must keep vulnerability as a secret until it has been patched and you have received a written permission from the Primo team to publicly disclose the vulnerability. The permission will be sent from email address attached to palacms.com domain name.

4. To ensure that the Primo team keeps the software secure and its users safe, you may provide a deadline for the vulnerability disclosure. The deadline must be at least 90 days and should follow established practices on security research and vulnerability disclosure.