Responsible disclosure
Do not open a public issue for authentication bypasses, tenant isolation bugs, exposed documents, invite/reset bypasses, or secret exposure. Use the private vulnerability reporting path in the GitHub repository.
Security
Childcare data deserves serious defaults.
Acorn CCMS handles sensitive child, family, staff, medical, attendance, compliance, billing, and centre operations data. Public use should begin with a security review, not blind deployment.
Self-hosting caution
Before using Acorn CCMS with real centre data, review authentication, backups, logging, retention, storage access, email delivery, tenancy boundaries, and incident response.
Production expectations
Use strong secrets, private object storage, TLS, monitored backups, least-privilege provider credentials, and a clear operational owner.
Paid review
Centres that want help preparing a deployment can request paid implementation and production-readiness support.