authelia/SECURITY.md

64 lines
3.3 KiB
Markdown

# Security Policy
## Prologue
Authelia takes security very seriously. We follow the rule of
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
[the documentation](https://www.authelia.com/docs/security/).
## Contact Options
### Matrix
Join the [Matrix Space](https://app.element.io/#/room/!qcxpPdXBiGBSTbFAJE:matrix.org?via=matrix.org) which
includes both the [Support Room](https://riot.im/app/#/room/#authelia:matrix.org) and the
[Contributing Room](https://riot.im/app/#/room/#authelia-contributing:matrix.org). You can check the members list for
one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask
for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you
privately message them to divulge the vulnerability.
### Discord
Join the [Discord Server](https://discord.authelia.com) and message the
[#support](https://discord.com/channels/707844280412012608/707844280412012612) or
[#contributing](https://discord.com/channels/707844280412012608/804943261265297408) channels which link to
[Matrix](#matrix) and contact a core team member. Once you've made contact with a core team member we ask you privately
message them to divulge the vulnerability.
### Email
You can contact any of the core team members for security vulnerability related issues by emailing
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
disclosure related matters. If you need to contact us for any other reason please use
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
## Credit
Users who report bugs will optionally be creditted for the discovery. Both in the
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
## Process
1. User privately reports a potential vulnerability.
2. The core team reviews the report and ascertain if additional information is required.
3. The core team reproduces the bug.
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
5. The fix is confirmed to resolve the vulnerability.
6. The fix is released.
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
have had a chance to update.
## Help Wanted
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits
related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
bono, or funding towards services like these please feel free to contact us on *any* of the methods above.