Skip to content

Security: withstudiocms/apollo

SECURITY.md

Security

Thanks for helping make withStudioCMS safe for everyone.

withStudioCMS takes the security of our software seriously, including all of the open source code repositories managed through this GitHub organization.

Table of Contents

Reporting a Vulnerability

If you think you've found a security issue, please DO NOT report, discuss, or describe it on Discord, GitHub, or any other public forum; without prior contact and acknowledgment of withStudioCMS's Security team.

To report a security issue, please open a security advisory on the GitHub repository with a detailed description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

Please include everything necessary to reproduce the issue, including but not limited to a publicly accessible git repository. Please don't add explicit details about the security issue you are reporting in any of the repository's contents. All code samples shared with our Security team will only be used to verify and diagnose the issue and will not be publicly shared with anyone outside of withStudioCMS's teams. withStudioCMS's Security Team members may share information only within the withStudioCMS teams on a need-to-know basis to fix the related issue in withStudioCMS.

Our Security team will respond to the security advisory within 3 working days.

This project follows a 90 day disclosure timeline.

This is detrimental to the safety of all withStudioCMS users. No exceptions.

Embargo Policy

withStudioCMS's Security Security Team members must share information only within the teams on a need-to-know basis to fix the related issue in withStudioCMS. The information members and others receive through participation in this group must not be made public, shared, or even hinted otherwise, except with prior explicit approval (which shall be handled on a case-by-case basis). This holds true until the agreed-upon public disclosure date/time is satisfied.

In the unfortunate event that you share the information beyond what is allowed by this policy, you must urgently inform the withStudioCMS Security Team of exactly what information leaked and to whom, as well as the steps that will be taken to prevent future leaks.

Repeated offenses may lead to the removal from the withStudioCMS Security team.

There aren’t any published security advisories