48 lines
2.4 KiB
Markdown
48 lines
2.4 KiB
Markdown
# Security Policy
|
|
|
|
## Prologue
|
|
|
|
Authelia takes security very seriously. We follow the rule of
|
|
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
|
|
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
|
|
|
|
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately as described in the
|
|
[contact options](#contact-options) below.
|
|
|
|
We urge you not to disclose the bug publicly at least until we've had a
|
|
reasonable chance to fix it, and to clearly communicate any public disclosure timeline in your initial contact with us.
|
|
If you do not have a particular public disclosure timeline, we will clearly communicate ours as we publish security
|
|
advisories.
|
|
|
|
For more information about [security](https://www.authelia.com/information/security/) related matters, please read
|
|
[the documentation](https://www.authelia.com/information/security/).
|
|
|
|
## Contact Options
|
|
|
|
Several [contact options](README.md#contact-options) exist, it's important to make sure you contact the maintainers
|
|
privately which is described in each available contact method. The methods include our [security email](README.md#security),
|
|
[Matrix](README.md#matrix), and [Discord](README.md#discord).
|
|
|
|
## Credit
|
|
|
|
Users who report bugs will optionally be credited for the discovery. Both in the [security advisory] and in our
|
|
[all contributors](README.md#contribute) configuration/documentation.
|
|
|
|
## Process
|
|
|
|
1. User privately reports a potential vulnerability.
|
|
2. The core team reviews the report and ascertain if additional information is required.
|
|
3. The core team reproduces the bug.
|
|
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
|
|
5. The fix is confirmed to resolve the vulnerability.
|
|
6. The fix is released.
|
|
7. The [security advisory] is published sometime after users have had a chance to update.
|
|
|
|
## Help Wanted
|
|
|
|
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits
|
|
related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
|
|
bono, or funding towards services like these please feel free to contact us on *any* of the methods above.
|
|
|
|
[security advisory]: https://github.com/authelia/authelia/security/advisories
|