Skip to content
Kirby 5 is here! Learn more
    Search by Algolia
    Security

    Kirby & Security

    The current state of Kirby's security releases, AI-generated reports, and what this means for your projects…

    Since Kirby started in 2012, we've been lucky to have had a good track record of very few security issues. Over the years, big companies started adopting our software and in the process of the adoption, Kirby's source code has been handed over to multiple security companies and researchers to find issues beforehand.

    In our team, we've also established a careful process to avoid security issues early on whenever possible. We follow industry best practices closely, have a thorough review process for code changes to look out for potential security risks, and react quickly whenever a vulnerability report does come in.

    Over the last 1-2 years, we've seen more and more AI-generated/assisted security reports that often kept us busy. So far, those reports have been detailed, but almost always inaccurate. We've still reviewed each of those reports with the required carefulness, to make sure that we don't miss reports that are indeed valid, and that's where the biggest overhead of work so far came from.

    Since March 2026, however, we've received a set of reports with a much higher accuracy rate and overall better quality. Rumours about Anthropic's new Mythos model have been making the rounds in the tech industry, and we've seen lots of new security issues pop up everywhere around us. It became clear that we are not alone and that something has changed significantly. Doubts arose that those reports really came from Mythos, but it did not really matter. AI models seem to have become good enough in recent months to find issues that security researchers were not able to find before, or at least not with that frequency and accuracy. No matter if it is in big frameworks, the Linux kernel, browsers, low-level open-source packages or even in your robot vacuum.

    As a first reaction, we let our community know early, on Discord and in the forum, and tried to be as transparent about it as possible. We shipped the first big set of security fixes after three very intense weeks of work and managed to patch all issues quickly. But we already guessed that this was not the end. Soon after our first release, we received more reports.

    This is why, going forward, we have decided to move security releases to a monthly schedule, which provides a more stable timeline for future updates and allows developers to predictably plan for rolling out such patches. These security releases will take place on Wednesday of the third week of each month, if necessary. We will also confirm in advance whether a release will actually happen that month. If there are no new issues, there will of course be no new release. We will always break this monthly cycle for zero-day exploits or issues of critical severity according to the CVSS.

    To be clear, valid reports are not a bad thing. When there has not been an exploit of a vulnerability yet and it is reported responsibly to us (which has always been the case so far), those reports really help us to make Kirby more secure.

    But it requires a lot more work and resources on all sides. For you and for us. This is something that we are very aware of and we do not take this lightly. That's why we want to get all of this right together with you. We believe that we can get out of this in a good and controllable way, but it needs honest communication and collaboration.

    What we will do

    • We've already invested a lot of time in the past in code quality, automated testing and quality assurance, and we will double down on that.
    • We will keep reacting to security issues as quickly as possible, but also as carefully as possible. We will take our time to fix things right, to not introduce new vulnerabilities or regressions.
    • We will keep our source code public. While other companies and organisations have decided to hide their source code to avoid the onslaught of reports, we believe that full transparency is the better and more sustainable long-term decision.
    • To address the problem of valid AI-generated reports, we see our only chance in actively running our own AI security research to find issues in advance. It has become clear that we are not capable as humans to find the same number of issues ourselves, even when we really try. That's concerning and not something we like, but it's the current reality.
    • We will always be honest with you. We don't hide any of this and we will not sugar-coat it either.

    What you can do

    • We can only recommend installing the security updates as quickly as possible. With our new monthly security schedule (see above), you already know in advance when a security release will happen, and you can plan ahead accordingly.
    • Make sure that you have a solid deployment process to be able to update and test your installations quickly and effectively.
    • Follow our announcements closely on Discord, in the forum or via RSS.
    • Check our security support table for supported versions. If you are still running a very old Kirby version, please try to upgrade to Kirby 5. Otherwise, we won’t be able to provide patches for you.
    • Report issues responsibly according to our security policy, if you run your own (AI or human) research and find something that we didn't find so far.