Skip to content

Latest commit

 

History

History
46 lines (28 loc) · 2.25 KB

SECURITY.md

File metadata and controls

46 lines (28 loc) · 2.25 KB

Security Policy

We greatly appreciate when security researchers and users bring vulnerabilities to our attention, as it allows us to improve Authgear's security and better serve our open source community.

Our team will quickly look into the issue you reported. We welcome working collaboratively with you to validate and address any vulnerabilities. Once the vulnerability has been confirmed, we will keep you updated on our progress fixing it.

For the safety of Authgear's users, we kindly request coordinating public disclosure of the vulnerability until a fix can be implemented. By working together closely, we can ensure users are protected while also acknowledging your valuable contribution.

We will not terminate your services or pursue legal actions for anyone following the security policy.

Scope

The scope of this policy applies to all websites and services operated by Authgear and the software in our open source repositories.

The supported version is the latest version from our stable release.

Guideline

You must not do research or testing that involves

  • Modify or destroy any data that does not belong to you
  • Accessing or attempting to access data that does not belong to you
  • Denial of service attacks
  • Load testing

Reporting a Vulnerability

To report a vulnerability, please submit it to our Advisories Portal or email to [email protected]

Please include the following details:

  • Target: Authgear Cloud, Authgear Open Sources, Other
  • Type: DoS, authentication bypass, broken authorization, etc
  • Description
  • URL/Location (Optional)

If you haven't received a response within 48 hours, please contact [email protected].

When not to report

  • Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
  • Suggestions on Certificate Authority Authorization (CAA) rules, DMARC/DKIM/SPF, DNSSEC settings
  • Lack of security flags on non-sensitive cookies

Bug Bounty

We currently do not provide monetary compensation for reporting security vulnerabilities. Please indicate in your report if you would like your contribution acknowledged—we default to keeping contributors anonymous.