We take the security of Contentstack Bridge seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
-
Do not report security vulnerabilities through public GitHub issues.
-
Instead, please create a new issue with the title "Security Vulnerability Report" and mark it as confidential.
-
Include the following information in your report:
- Type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
-
Allow up to 72 hours for an initial response to your report. We may ask for additional information or guidance.
- We will acknowledge receipt of your vulnerability report within 72 hours
- We will provide a more detailed response within 7 days, indicating the next steps in handling your report
- We will keep you informed about our progress throughout the process
- We will notify you when the reported vulnerability is fixed, and may ask you to verify the solution
- We follow a coordinated disclosure process. We ask that you do not share or publicize the vulnerability until we have had the opportunity to address it
- We will work with you to determine an appropriate disclosure timeline once the vulnerability has been confirmed and mitigated
- Security updates will be released as part of our regular update process
- We will announce security vulnerabilities and their fixes through our GitHub repository's release notes
This security policy applies to the latest stable release of Contentstack Bridge and its official extensions.
Thank you for helping to keep Contentstack Bridge and its users safe!