We take security seriously. If you discover a vulnerability in Craft, please do not open a public GitHub issue.

Instead, report it via one of these channels:

• Email: security@craft.fast
• GitHub Private Advisory: Use GitHub's private vulnerability reporting

Please provide as much of the following as possible:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code (if applicable)
• Your suggested fix (if you have one)

• Acknowledgement: Within 48 hours of your report
• Initial assessment: Within 5 business days
• Fix & disclosure: We aim to patch confirmed vulnerabilities within 30 days, coordinating disclosure timing with the reporter

We ask that you:

• Give us reasonable time to investigate and patch before any public disclosure
• Avoid accessing or modifying other users' data during research
• Act in good faith and not disrupt the service

We will publicly acknowledge reporters who disclose vulnerabilities responsibly (unless you prefer to remain anonymous).

The following are in scope:

• apps/app — The main Craft application
• apps/admin — The admin panel
• packages/* — Shared packages
• prisma/schema.prisma — Database schema
• Authentication and authorization flows
• API endpoints and data validation

The following are out of scope:

• apps/www, apps/blog, apps/docs — Marketing/docs sites (low-risk, static-ish)
• Third-party dependencies (report these upstream)
• Denial-of-service attacks
• Social engineering attacks

If you're running Craft yourself:

1. Set strong, unique values for BETTER_AUTH_SECRET, INTERNAL_API_SECRET, CRON_SECRET, and ENV_VAR_ENCRYPTION_KEY
2. Never commit .env files to version control
3. Use environment-specific secrets in production — never reuse development credentials
4. Keep dependencies up to date (pnpm update)
5. Restrict database access to your application servers only
6. Enable HTTPS in production