Product Security

Security is an area of paramount concern in commercial software development, and at Tiny, it’s of highest priority. We recognize the potential risks such as data breaches and their legal consequences, so Tiny emphasizes embedding security at every stage of product development.

With TinyMCE used in over 100 million products, including those in critical sectors like finance and government, the company's dedicated InfoSec team collaborates closely with the engineering teams to promptly address security vulnerabilities.

To maintain TinyMCE’s product security, Tiny employs the following processes to ensure a high level of product security is maintained at all times:

• Dedicated InfoSec Team
• Continuous automated Codescans during development and post release
• Automated Static analysis code scans
• Peer code reviews
• Manual and automated QA assurance process
• Network of security researchers, developers and customers reporting security vulnerabilities
• Annual Pen tests conducted by an independent security firm
• Frequent patch releases and security updates

To further enhance security for customers who are integrating TinyMCE into their applications, TinyMCE offers customizable security configuration options to suit different use cases. See the Security Guide documentation for details.

How to report a security vulnerability to Tiny

This covers all security matters relating to Tiny's digital presence - including websites, blogs, product portals and all software products.

Please forward all security reports to infosec@tiny.cloud. The report should include a replication case so we can reproduce the vulnerability.

The Tiny InfoSec Team reviews all vulnerability reports sent to infosec@tiny.cloud. Once Tiny has completed reviewing the vulnerability and can replicate the issue, Tiny will share its remediation response plan with you and discuss public disclosure time frames.

Disclosure policy

Tiny has a 90 day disclosure policy once a vulnerability has been verified. After a security patch has been released, Tiny will disclose the vulnerability through these public sources:

• Mitre CVE
• Github GHSA
• Product release notes

Bounties and rewards for finding security vulnerabilities

Tiny does not offer any cash rewards or bounties for finding security vulnerabilities. Once a vulnerability has been verified and patched, Tiny will attribute you as the finder for the security vulnerability in Tiny’s public disclosure.