Clarity is an open source design system that brings together UX guidelines, design resources, and coding implementations with Web Components. This repository includes everything you need to build, customize, test, and deploy Clarity. For complete documentation, visit the Clarity website.

The community has adopted this security disclosure and response policy to ensure we responsibly handle critical issues.

Supported versions can be found at Clarity Support Policies.

Security issues can be reported by emailing Clarity Security.

Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to Clarity Angular privately, to minimize attacks against current users of Clarity Angular before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.

IMPORTANT: Do not use the GitHub issue tracker to submit information about security vulnerabilities.

To report a vulnerability or a security-related issue, please contact the before mentioned email address with the details of the vulnerability. The email will be fielded by the Clarity Security Team. Emails will be addressed within 5 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use GitHub issues instead.

Provide a descriptive subject line and in the body of the email include the following information:

• Basic identity information, such as your name and your affiliation or company.
• Detailed steps to reproduce the vulnerability (POC scripts, screenshots, and logs are all helpful to us).
• Description of the effects of the vulnerability on Clarity Angular and the related hardware and software configurations.
• How the vulnerability affects Clarity Angular usage and an estimation of the attack surface, if there is one.
• List other projects or dependencies that were used in conjunction with Clarity Angular to produce the vulnerability.

• When you think Clarity Angular has a potential security vulnerability.
• When you suspect a security vulnerability, but you are unsure it impacts Clarity Angular.
• When you know or suspect of a potential vulnerability on another project that is used by Clarity Angular.

After receipt of a vulnerability report, the team will triage the reported issue and determine its severity before providing feedback to the reporter of the vulnerability and working with them to fix the issue. Reporters should expect a response within 5 business days. At this point the reporter may be invited to a GitHub security advisory to privately discuss and test a fix.