From c5de7e3b3b2f6335e5dab4d72bb97c15ff80f627 Mon Sep 17 00:00:00 2001 From: Martin Jagodic Date: Fri, 13 Feb 2026 11:51:14 +0100 Subject: [PATCH 1/4] chore: add SECURITY.md --- SECURITY.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..0ceabf313d58 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,71 @@ +# Security Policy + +Decap CMS takes security seriously. This document outlines our security policy, supported versions, and how to report security vulnerabilities. + +## Supported Versions + +Security updates are provided for: + +| Version | Status | Lifecycle | +|---------|--------|-----------| +| 3.x | ✅ Actively Supported | Current stable release | +| 2.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates | +| 1.x (Netlify CMS) | ❌ Unsupported | Legacy - no updates | + +**Note:** Decap CMS was renamed from Netlify CMS in February 2023. Versions 1.x and 2.x are no longer maintained. We recommend upgrading to version 3.x for security updates and new features. + +## Reporting a Vulnerability + +If you discover a security vulnerability in Decap CMS, please report it **confidentially** through our dedicated reporting process. + +**Submit your report at:** https://decapcms.org/report-vulnerability + +Please include the following information: + +- **Vulnerability Title**: Brief summary of the issue +- **Description**: Detailed explanation of the vulnerability +- **Affected Version(s)**: Which version(s) of Decap CMS are affected +- **Steps to Reproduce**: Clear steps to demonstrate the vulnerability (if applicable) +- **Impact Assessment**: Potential impact on users (e.g., data exposure, unauthorized access, content integrity) +- **Your Name**: For attribution and follow-up communication +- **Your Email**: Primary contact method +- **Publish Credit**: Would you like to be credited publicly when this is disclosed? + +### What NOT to Do + +- Do not open a public GitHub issue for the vulnerability +- Do not post details on social media or public forums +- Do not attempt to exploit the vulnerability beyond confirming it exists +- Do not access data beyond what's necessary to demonstrate the issue + +## Response Timeline + +This project follows a 90 day disclosure timeline. + +## Coordinated Disclosure + +We follow responsible disclosure practices: + +1. You submit a vulnerability report via our form +2. Our security team acknowledges receipt +3. We investigate and determine severity and scope +4. We develop a fix and prepare a security release +5. We notify you of resolution and next steps +6. We release the security update to users +7. We publish a security advisory (with your attribution, if approved) + +## Security Practices + + +- Dependabot is enabled for automated security update checks +- All code changes are tested in CI including linting +- End-to-end tests provide coverage of critical functionality +- All pull requests require code review before merging +- Passwords are not stored by Decap CMS; authentication is delegated to providers + +## Known Limitations + +- This is a **community-maintained open-source project**, not a commercial product with dedicated security resources +- Security depends on the stability and practices of underlying dependencies and backend providers +- Some vulnerabilities in dependencies may not be immediately patchable if they break backwards compatibility +- This is a project with a long history and many legacy dependencies can't be updated without significant refactoring From 4e2dfaeccd584c68dbe1506bc7df54a56afae6ad Mon Sep 17 00:00:00 2001 From: Martin Jagodic Date: Fri, 13 Feb 2026 11:55:18 +0100 Subject: [PATCH 2/4] Update SECURITY.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 0ceabf313d58..233d1fc632b1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -40,7 +40,7 @@ Please include the following information: ## Response Timeline -This project follows a 90 day disclosure timeline. +This project follows a 90-day disclosure timeline. ## Coordinated Disclosure From fdcd656d0fc001229d5da40ebcfcfab9d86580f1 Mon Sep 17 00:00:00 2001 From: Martin Jagodic Date: Thu, 19 Feb 2026 08:29:52 +0100 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Yan <61414485+yanthomasdev@users.noreply.github.com> --- SECURITY.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 233d1fc632b1..765e1fd91341 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -48,9 +48,9 @@ We follow responsible disclosure practices: 1. You submit a vulnerability report via our form 2. Our security team acknowledges receipt -3. We investigate and determine severity and scope +3. We investigate and determine the severity and scope 4. We develop a fix and prepare a security release -5. We notify you of resolution and next steps +5. We notify you of the resolution and next steps 6. We release the security update to users 7. We publish a security advisory (with your attribution, if approved) @@ -58,7 +58,7 @@ We follow responsible disclosure practices: - Dependabot is enabled for automated security update checks -- All code changes are tested in CI including linting +- All code changes are tested in CI, including linting - End-to-end tests provide coverage of critical functionality - All pull requests require code review before merging - Passwords are not stored by Decap CMS; authentication is delegated to providers @@ -68,4 +68,4 @@ We follow responsible disclosure practices: - This is a **community-maintained open-source project**, not a commercial product with dedicated security resources - Security depends on the stability and practices of underlying dependencies and backend providers - Some vulnerabilities in dependencies may not be immediately patchable if they break backwards compatibility -- This is a project with a long history and many legacy dependencies can't be updated without significant refactoring +- This is a project with a long history, and many legacy dependencies can't be updated without significant refactoring From 5527b9b8408afe67ba6f31c8c8247ad1ce850748 Mon Sep 17 00:00:00 2001 From: Martin Jagodic Date: Thu, 19 Feb 2026 15:07:34 +0100 Subject: [PATCH 4/4] fix: switch to GitHub Security Advisories for reporting --- SECURITY.md | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 765e1fd91341..980f13977f31 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,20 +16,9 @@ Security updates are provided for: ## Reporting a Vulnerability -If you discover a security vulnerability in Decap CMS, please report it **confidentially** through our dedicated reporting process. +If you discover a security vulnerability in Decap CMS, please report it **confidentially** through GitHub Security Advisories. This allows us to investigate and address the issue without exposing it to the public until a fix is ready. -**Submit your report at:** https://decapcms.org/report-vulnerability - -Please include the following information: - -- **Vulnerability Title**: Brief summary of the issue -- **Description**: Detailed explanation of the vulnerability -- **Affected Version(s)**: Which version(s) of Decap CMS are affected -- **Steps to Reproduce**: Clear steps to demonstrate the vulnerability (if applicable) -- **Impact Assessment**: Potential impact on users (e.g., data exposure, unauthorized access, content integrity) -- **Your Name**: For attribution and follow-up communication -- **Your Email**: Primary contact method -- **Publish Credit**: Would you like to be credited publicly when this is disclosed? +**Submit your report at:** https://github.com/decaporg/decap-cms/security/advisories/new ### What NOT to Do @@ -42,21 +31,8 @@ Please include the following information: This project follows a 90-day disclosure timeline. -## Coordinated Disclosure - -We follow responsible disclosure practices: - -1. You submit a vulnerability report via our form -2. Our security team acknowledges receipt -3. We investigate and determine the severity and scope -4. We develop a fix and prepare a security release -5. We notify you of the resolution and next steps -6. We release the security update to users -7. We publish a security advisory (with your attribution, if approved) - ## Security Practices - - Dependabot is enabled for automated security update checks - All code changes are tested in CI, including linting - End-to-end tests provide coverage of critical functionality