Please email security@clear-cms.com with the details. We aim to respond within 3 business days.
If the issue is critical and time-sensitive, also include a brief subject like [urgent].
Please do not open a public GitHub issue for security vulnerabilities. We'll coordinate disclosure through email so that affected users have a chance to patch before details go public.
- Anything in this repo (
apps/admin,packages/*) - The published npm packages under
@clearcms/* - The bucket protocol itself (path traversal, schema validation, etc.)
- The clear-cms.com marketing site (report there via that site's footer).
- Third-party packages clear depends on (please report to those projects directly; we'll bump dependency versions as fixes land).
We follow a 90-day disclosure window by default. If you've reported a confirmed issue:
- We acknowledge receipt within 3 business days.
- We'll keep you updated on remediation progress.
- Once a fix is released, we'll credit you in the changelog (unless you prefer otherwise).
- After 90 days, the details may be made public regardless of fix status, so please give us a chance to patch first.
We don't have a formal bounty program yet. We do try to send a small thank-you (swag or a donation to a charity of your choice) for confirmed reports — email us with your preference when you report.