49 lines
2.5 KiB
Markdown
49 lines
2.5 KiB
Markdown
# Security
|
|
|
|
Authelia takes security very seriously. We follow the rule of
|
|
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
|
|
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
|
|
|
|
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
|
|
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
|
|
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
|
|
|
|
For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
|
|
[the documentation](https://www.authelia.com/docs/security/).
|
|
|
|
## Contact Options
|
|
|
|
### Matrix
|
|
|
|
Join the [Matrix Room](https://riot.im/app/#/room/#authelia:matrix.org) and locate one of the maintainers.
|
|
You can identify them as they are the room administrators. Alternatively you can just ask in the channel for one of the
|
|
maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability.
|
|
|
|
### Discord
|
|
|
|
Join the [Discord Server](https://discord.authelia.com) and message the
|
|
[#support](https://discord.com/channels/707844280412012608/707844280412012612) chat which links to [Matrix](#matrix)
|
|
and contact a maintainer.
|
|
|
|
### Email
|
|
|
|
You can contact any of the maintainers for security vulnerability related issues by emailing
|
|
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
|
|
disclosure related matters. If you need to contact us for any other reason please use
|
|
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
|
|
|
|
## Credit
|
|
|
|
Users who report bugs will optionally be creditted for the discovery. Both in the
|
|
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
|
|
|
|
## Process
|
|
|
|
1. User privately reports a potential vulnerability.
|
|
2. The maintainers review the report and ascertain if additional information is required.
|
|
3. The maintainers reproduce the bug.
|
|
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
|
|
5. The fix is confirmed to resolve the vulnerability.
|
|
6. The fix is released.
|
|
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
|
|
have had a chance to update. |