|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +Decap CMS takes security seriously. This document outlines our security policy, supported versions, and how to report security vulnerabilities. |
| 4 | + |
| 5 | +## Supported Versions |
| 6 | + |
| 7 | +Security updates are provided for: |
| 8 | + |
| 9 | +| Version | Status | Lifecycle | |
| 10 | +|---------|--------|-----------| |
| 11 | +| 3.x | ✅ Actively Supported | Current stable release | |
| 12 | +| 2.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates | |
| 13 | +| 1.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates | |
| 14 | + |
| 15 | +**Note:** Decap CMS was renamed from Netlify CMS in February 2023. Versions 1.x and 2.x are no longer maintained. We recommend upgrading to version 3.x for security updates and new features. |
| 16 | + |
| 17 | +## Reporting a Vulnerability |
| 18 | + |
| 19 | +If you discover a security vulnerability in Decap CMS, please report it **confidentially** through GitHub Security Advisories. This allows us to investigate and address the issue without exposing it to the public until a fix is ready. |
| 20 | + |
| 21 | +**Submit your report at:** https://github.com/decaporg/decap-cms/security/advisories/new |
| 22 | + |
| 23 | +### What NOT to Do |
| 24 | + |
| 25 | +- Do not open a public GitHub issue for the vulnerability |
| 26 | +- Do not post details on social media or public forums |
| 27 | +- Do not attempt to exploit the vulnerability beyond confirming it exists |
| 28 | +- Do not access data beyond what's necessary to demonstrate the issue |
| 29 | + |
| 30 | +## Response Timeline |
| 31 | + |
| 32 | +This project follows a 90-day disclosure timeline. |
| 33 | + |
| 34 | +## Security Practices |
| 35 | + |
| 36 | +- Dependabot is enabled for automated security update checks |
| 37 | +- All code changes are tested in CI, including linting |
| 38 | +- End-to-end tests provide coverage of critical functionality |
| 39 | +- All pull requests require code review before merging |
| 40 | +- Passwords are not stored by Decap CMS; authentication is delegated to providers |
| 41 | + |
| 42 | +## Known Limitations |
| 43 | + |
| 44 | +- This is a **community-maintained open-source project**, not a commercial product with dedicated security resources |
| 45 | +- Security depends on the stability and practices of underlying dependencies and backend providers |
| 46 | +- Some vulnerabilities in dependencies may not be immediately patchable if they break backwards compatibility |
| 47 | +- This is a project with a long history, and many legacy dependencies can't be updated without significant refactoring |
0 commit comments