* docs: add matrix space information and update readme We recently created a Matrix Space which includes both the original room, and a new contributing room. This commit also performs some basic housekeeping on the README.md, including but not limited to: factorizing the security section, adjusting the main description, clearly outlining areas where help is wanted, adding information related to the helm chart, adding more details in the features summary, grammar, and misc other changes. * docs: update security to be in line with the readme
3.3 KiB
Security Policy
Prologue
Authelia takes security very seriously. We follow the rule of responsible disclosure, and we urge our community to do so as well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via Matrix, Discord, or email as described in the contact options below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For more information about security related matters, please read the documentation.
Contact Options
Matrix
Join the Matrix Space which includes both the Support Room and the Contributing Room. You can check the members list for one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you privately message them to divulge the vulnerability.
Discord
Join the Discord Server and message the #support or #contributing channels which link to Matrix and contact a core team member. Once you've made contact with a core team member we ask you privately message them to divulge the vulnerability.
You can contact any of the core team members for security vulnerability related issues by emailing security@authelia.com. This email is strictly reserved for security and vulnerability disclosure related matters. If you need to contact us for any other reason please use team@authelia.com or another contact option.
Credit
Users who report bugs will optionally be creditted for the discovery. Both in the security advisory and in our all contributors configuration.
Process
- User privately reports a potential vulnerability.
- The core team reviews the report and ascertain if additional information is required.
- The core team reproduces the bug.
- The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
- The fix is confirmed to resolve the vulnerability.
- The fix is released.
- The security advisory is published sometime after users have had a chance to update.
Help Wanted
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro bono, or funding towards services like these please feel free to contact us on any of the methods above.