Do not report vulnerabilities in public issues or discussions.
Preferred path: open a private GitHub Security Advisory:
https://github.com/AotterClam/clam-cms/security/advisories/new
Fallback contact: phsu@aotter.net.
Include:
- affected package, starter, or deployed surface,
- reproduction steps,
- expected impact,
- whether credentials, tokens, user data, content data, or deployment resources are involved,
- any temporary mitigation you already applied.
- Acknowledgement target: 3 business days.
- Initial triage target: 7 business days.
- Fix and disclosure timing depends on severity, exploitability, and release status.
These are targets, not contractual SLAs.
Until v0.1.0, only the active develop line and latest alpha are considered supported for security fixes.
After v0.1.0, this file must be updated with the supported release window.
Security-sensitive areas include:
- HTTP request handling,
- MCP endpoints,
- auth and session handling,
- staff role and permission enforcement,
- D1 / KV / asset storage boundaries,
- entry write chokepoints,
- render and content ingestion paths,
- deployment and provisioning scripts that handle credentials.
Manifest authoring is not itself a trust boundary. A consumer-provided manifest can still trigger security-relevant behavior when it affects auth predicates, public HTTP exposure, MCP tool exposure, render output, or persistence.
Once a fix is available, the maintainer may publish:
- a GitHub Security Advisory,
- release notes,
- a changelog entry,
- follow-up hardening issues without exploit detail.