In this section, we describe the security processes followed for the submission of security issues related to CrafterCMS projects.
Important Security Considerations
CrafterCMS is a platform for developing content rich applications, which includes developing code and deploying
it to servers. CrafterCMS provides for a server-side sandbox (Groovy Sandbox – based on Jenkins’
Groovy Sandbox: https://github.com/jenkinsci/groovy-sandbox) to limit what these server-side applications can do
on a server. A user with access to Crafter Studio (with a sufficiently priveleged role) or with access to the git
repository of a site can develop server-side code and deploy it. The sandbox will limit and restirct what can be
executed on a server and is configurable to allow more access as needed. Nonetheless, Enterprises should consider
having a series of environments, typically:
Prod where code gets developed and validated
in the lower environments before pushing up. This is fully supported by CrafterCMS and the underlying git
repository makes it easy.
Submitting Security Issues
We request that customers, implementation partners, bounty-hunters, and users report security issues privately by emailing firstname.lastname@example.org or via the support portal (for customers and partners).
Security Issue Workflow
Upon submission of a security issue
- You’ll receive an acknowledgement indicating receipt of submission
- You’ll receive a timeframe for the triage of the issue to determine if there is a vulnerability
- You’ll be invited to an advisory issue tracker to track the progress through the embargo period
- CrafterCMS has a dedicated CNA and an appropriate CVE will be issued there