2021-06-06 12:53:28 +07:00
|
|
|
# Security Policy
|
|
|
|
|
|
|
|
## Prologue
|
2020-04-24 07:29:30 +07:00
|
|
|
|
2021-06-01 11:11:33 +07:00
|
|
|
Authelia takes security very seriously. We follow the rule of
|
|
|
|
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
|
|
|
|
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
|
2020-04-24 07:29:30 +07:00
|
|
|
|
2021-06-01 11:11:33 +07:00
|
|
|
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
|
|
|
|
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
|
|
|
|
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
|
2020-04-24 07:29:30 +07:00
|
|
|
|
2021-06-01 11:11:33 +07:00
|
|
|
For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
|
|
|
|
[the documentation](https://www.authelia.com/docs/security/).
|
2020-05-05 02:39:25 +07:00
|
|
|
|
|
|
|
## Contact Options
|
|
|
|
|
|
|
|
### Matrix
|
|
|
|
|
2021-06-06 12:53:28 +07:00
|
|
|
Join the [Matrix Space](https://app.element.io/#/room/!qcxpPdXBiGBSTbFAJE:matrix.org?via=matrix.org) which
|
|
|
|
includes both the [Support Room](https://riot.im/app/#/room/#authelia:matrix.org) and the
|
|
|
|
[Contributing Room](https://riot.im/app/#/room/#authelia-contributing:matrix.org). You can check the members list for
|
|
|
|
one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask
|
|
|
|
for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you
|
|
|
|
privately message them to divulge the vulnerability.
|
2020-05-05 02:39:25 +07:00
|
|
|
|
2021-01-30 15:29:07 +07:00
|
|
|
### Discord
|
|
|
|
|
|
|
|
Join the [Discord Server](https://discord.authelia.com) and message the
|
2021-06-06 12:53:28 +07:00
|
|
|
[#support](https://discord.com/channels/707844280412012608/707844280412012612) or
|
|
|
|
[#contributing](https://discord.com/channels/707844280412012608/804943261265297408) channels which link to
|
|
|
|
[Matrix](#matrix) and contact a core team member. Once you've made contact with a core team member we ask you privately
|
|
|
|
message them to divulge the vulnerability.
|
2021-01-30 15:29:07 +07:00
|
|
|
|
2020-05-05 02:39:25 +07:00
|
|
|
### Email
|
|
|
|
|
2021-06-06 12:53:28 +07:00
|
|
|
You can contact any of the core team members for security vulnerability related issues by emailing
|
2020-05-05 02:39:25 +07:00
|
|
|
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
|
2021-06-01 11:11:33 +07:00
|
|
|
disclosure related matters. If you need to contact us for any other reason please use
|
|
|
|
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
|
|
|
|
|
|
|
|
## Credit
|
|
|
|
|
|
|
|
Users who report bugs will optionally be creditted for the discovery. Both in the
|
|
|
|
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
|
|
|
|
|
|
|
|
## Process
|
|
|
|
|
|
|
|
1. User privately reports a potential vulnerability.
|
2021-06-06 12:53:28 +07:00
|
|
|
2. The core team reviews the report and ascertain if additional information is required.
|
|
|
|
3. The core team reproduces the bug.
|
2021-06-01 11:11:33 +07:00
|
|
|
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
|
|
|
|
5. The fix is confirmed to resolve the vulnerability.
|
|
|
|
6. The fix is released.
|
|
|
|
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
|
2021-06-06 12:53:28 +07:00
|
|
|
have had a chance to update.
|
|
|
|
|
|
|
|
## Help Wanted
|
|
|
|
|
|
|
|
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits
|
|
|
|
related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
|
|
|
|
bono, or funding towards services like these please feel free to contact us on *any* of the methods above.
|
|
|
|
|