4.8 KiB
Security Policy
Prologue
The Authelia team takes security very seriously. Because Authelia is intended as a security product a lot of decisions are made with security being the priority and we always aim to implement security by design.
Coordinated vulnerability disclosure
Authelia follows the coordinated vulnerability disclosure model when dealing with security vulnerabilities. This was previously known as responsible disclosure. We strongly urge anyone reporting vulnerabilities to Authelia or any other project to follow this model as it is considered as a best practice by many in the security industry.
If you believe you have identified a security vulnerability or security related bug with Authelia please make every effort to contact us privately using one of the contact options below. Please do not open an issue, do not notify us in public, and do not disclose this issue to third parties.
Using this process helps ensure that users affected have an avenue to fixing the issue as close to the issue being made public as possible. This mitigates the increasing the attack surface (via improving attacker knowledge) for diligent administrators simply via the act of disclosing the security issue.
For more information about security related matters, please read the documentation.
Contact Options
Several contact options exist however it's important you specifically use a security contact method when reporting a security vulnerability or security related bug. These methods are clearly documented below.
GitHub Security
Users can utilize GitHub's security vulnerability system to privately report a vulnerability. This is an easy method for users who have a GitHub account.
Users can utilize the security@authelia.com email address to privately report a vulnerability. This is an easy method of users who do not have a GitHub account.
This email address is only accessible by key members of the team for the purpose of disclosing security vulnerabilities and issues within the Authelia code base.
Chat
If you wish to chat directly instead of sending an email please use either Matrix or Discord to direct / private message one of the core team members.
Please avoid this method unless absolutely necessary. We generally prefer that users use either the GitHub Security or Email option rather than this option as it both allows multiple team members to deal with the report and prevents mistakes when contacting a core team member.
The core team members are identified in Matrix as room admins, and in Discord
with the Core Team
role.
Process
- The user privately reports a potential vulnerability.
- The report is acknowledged as received.
- The report is reviewed to ascertain if additional information is required. If it is required:
- The user is informed that the additional information is required.
- The user privately adds the additional information.
- The process begins at step 3 again, proceeding to step 4 if the additional information provided is sufficient.
- The vulnerability is reproduced.
- The vulnerability is patched, and if possible the user reporting the bug is given access to a fixed binary, docker image, and git patch.
- The patch is confirmed to resolve the vulnerability.
- The fix is released.
- The security advisory is published sometime after users have had a chance to update.
Credit
Users who report bugs will at their discretion (i.e. they do not have to be if they wish to remain anonymous) be credited for the discovery. Both in the security advisory and in our all contributors documentation.
Help wanted
We are actively looking for sponsorship to obtain security audits to comprehensively ensure the security of Authelia. As security is really important to us we see this as one of the main financial priorities.
We believe that we should obtain the following categories of security audits:
- Code Security Audit / Analysis
- Penetration Testing
If you know of a company which either performs these kinds of audits and would be willing to sponsor the audit in some way such as doing it pro bono or at a discounted rate, or wants to help improve Authelia in a meaningful way and is willing to make a financial contribution towards this then please feel free to contact us.