-
Notifications
You must be signed in to change notification settings - Fork 149
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
2 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| # Security Policy | ||
|
|
||
| At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. | ||
| Please refer to the security policy [on zitadel/zitadel](https://github.com/zitadel/zitadel/blob/main/SECURITY.md) which is applicable for all open source repositories of our organization. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
|
|
@@ -18,34 +18,4 @@ We currently support the following version of the OIDC framework: | |
| [2]: https://github.com/zitadel/oidc/discussions/378 | ||
| [3]: https://github.com/zitadel/oidc/tree/main | ||
| [4]: https://github.com/zitadel/oidc/tree/next | ||
| [5]: https://github.com/zitadel/oidc/milestone/2 | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| To file a incident, please disclose by email to [email protected] with the security details. | ||
|
|
||
| At the moment GPG encryption is no yet supported, however you may sign your message at will. | ||
|
|
||
| ### When should I report a vulnerability | ||
|
|
||
| * You think you discovered a ... | ||
| * ... potential security vulnerability in the SDK | ||
| * ... vulnerability in another project that this SDK bases on | ||
| * For projects with their own vulnerability reporting and disclosure process, please report it directly there | ||
|
|
||
| ### When should I NOT report a vulnerability | ||
|
|
||
| * You need help applying security related updates | ||
| * Your issue is not security related | ||
|
|
||
| ## Security Vulnerability Response | ||
|
|
||
| TBD | ||
|
|
||
| ## Public Disclosure | ||
|
|
||
| All accepted and mitigated vulnerabilities will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories) | ||
|
|
||
| ### Timing | ||
|
|
||
| We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days. | ||
| [5]: https://github.com/zitadel/oidc/milestone/2 | ||