Skip to content
This repository was archived by the owner on May 9, 2026. It is now read-only.

Security: clearcms/clear-legacy

Security

SECURITY.md

Security

Reporting a vulnerability

Please email security@clear-cms.com with the details. We aim to respond within 3 business days.

If the issue is critical and time-sensitive, also include a brief subject like [urgent].

Please do not open a public GitHub issue for security vulnerabilities. We'll coordinate disclosure through email so that affected users have a chance to patch before details go public.

What's in scope

  • Anything in this repo (apps/admin, packages/*)
  • The published npm packages under @clearcms/*
  • The bucket protocol itself (path traversal, schema validation, etc.)

What's not in scope here

  • The clear-cms.com marketing site (report there via that site's footer).
  • Third-party packages clear depends on (please report to those projects directly; we'll bump dependency versions as fixes land).

Responsible disclosure

We follow a 90-day disclosure window by default. If you've reported a confirmed issue:

  1. We acknowledge receipt within 3 business days.
  2. We'll keep you updated on remediation progress.
  3. Once a fix is released, we'll credit you in the changelog (unless you prefer otherwise).
  4. After 90 days, the details may be made public regardless of fix status, so please give us a chance to patch first.

Bounty

We don't have a formal bounty program yet. We do try to send a small thank-you (swag or a donation to a charity of your choice) for confirmed reports — email us with your preference when you report.

There aren't any published security advisories