mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
c555c10496
* docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme
64 lines
3.3 KiB
Markdown
64 lines
3.3 KiB
Markdown
# Security Policy
|
|
|
|
## Prologue
|
|
|
|
Authelia takes security very seriously. We follow the rule of
|
|
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
|
|
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
|
|
|
|
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
|
|
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
|
|
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
|
|
|
|
For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
|
|
[the documentation](https://www.authelia.com/docs/security/).
|
|
|
|
## Contact Options
|
|
|
|
### Matrix
|
|
|
|
Join the [Matrix Space](https://app.element.io/#/room/!qcxpPdXBiGBSTbFAJE:matrix.org?via=matrix.org) which
|
|
includes both the [Support Room](https://riot.im/app/#/room/#authelia:matrix.org) and the
|
|
[Contributing Room](https://riot.im/app/#/room/#authelia-contributing:matrix.org). You can check the members list for
|
|
one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask
|
|
for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you
|
|
privately message them to divulge the vulnerability.
|
|
|
|
### Discord
|
|
|
|
Join the [Discord Server](https://discord.authelia.com) and message the
|
|
[#support](https://discord.com/channels/707844280412012608/707844280412012612) or
|
|
[#contributing](https://discord.com/channels/707844280412012608/804943261265297408) channels which link to
|
|
[Matrix](#matrix) and contact a core team member. Once you've made contact with a core team member we ask you privately
|
|
message them to divulge the vulnerability.
|
|
|
|
### Email
|
|
|
|
You can contact any of the core team members for security vulnerability related issues by emailing
|
|
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
|
|
disclosure related matters. If you need to contact us for any other reason please use
|
|
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
|
|
|
|
## Credit
|
|
|
|
Users who report bugs will optionally be creditted for the discovery. Both in the
|
|
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
|
|
|
|
## Process
|
|
|
|
1. User privately reports a potential vulnerability.
|
|
2. The core team reviews the report and ascertain if additional information is required.
|
|
3. The core team reproduces the bug.
|
|
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
|
|
5. The fix is confirmed to resolve the vulnerability.
|
|
6. The fix is released.
|
|
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
|
|
have had a chance to update.
|
|
|
|
## Help Wanted
|
|
|
|
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits
|
|
related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro
|
|
bono, or funding towards services like these please feel free to contact us on *any* of the methods above.
|
|
|