2.5 KiB
Security
Authelia takes security very seriously. We follow the rule of responsible disclosure, and we urge our community to do so as well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via Matrix, Discord, or email as described in the contact options below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For more information about security related matters, please read the documentation.
Contact Options
Matrix
Join the Matrix Room and locate one of the maintainers. You can identify them as they are the room administrators. Alternatively you can just ask in the channel for one of the maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability.
Discord
Join the Discord Server and message the #support chat which links to Matrix and contact a maintainer.
You can contact any of the maintainers for security vulnerability related issues by emailing security@authelia.com. This email is strictly reserved for security and vulnerability disclosure related matters. If you need to contact us for any other reason please use team@authelia.com or another contact option.
Credit
Users who report bugs will optionally be creditted for the discovery. Both in the security advisory and in our all contributors configuration.
Process
- User privately reports a potential vulnerability.
- The maintainers review the report and ascertain if additional information is required.
- The maintainers reproduce the bug.
- The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
- The fix is confirmed to resolve the vulnerability.
- The fix is released.
- The security advisory is published sometime after users have had a chance to update.