In this section, we describe the security processes followed for the submission of security issues related to Crafter CMS projects.
Important Security Considerations¶
Crafter CMS is a platform for developing content rich applications, which includes developing code and deploying it to servers. Crafter CMS provides for a server-side sandbox (Groovy Sandbox – based on Jenkins’ Groovy Sandbox: https://github.com/jenkinsci/groovy-sandbox) to limit what these server-side applications can do on a server. A user with access to Crafter Studio (with a sufficiently priveleged role) or with access to the git repository of a site can develop server-side code and deploy it. The sandbox will limit and restirct what can be executed on a server and is configurable to allow more access as needed. Nonetheless, Enterprises should consider having a series of environments, typically:
Prod where code gets developed and validated in the lower environments before pushing up. This is fully supported by Crafter CMS and the underlying git repository makes it easy.
Submitting Security Issues¶
We request that customers, implementation partners, bounty-hunters, and users report security issues privately by emailing firstname.lastname@example.org or via the support portal (for customers and partners).
Security Issue Workflow¶
Upon submission of a security issue
You’ll receive an acknowledgement indicating receipt of submission
You’ll receive a timeframe for the triage of the issue to determine if there is a vulnerability
You’ll be invited to an advisory issue tracker to track the progress through the embargo period
Crafter CMS has a dedicated CNA and an appropriate CVE will be issued there