zitadel/SECURITY.md

# Security Policy

At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |
| 0.x.x   | :x:                |

## Reporting a vulnerability

To file an incident, please disclose it by e-mail to security@zitadel.ch including the  details of the vulnerability.

At the moment GPG encryption is no yet supported, however you may sign your message at will.

### When should I report a vulnerability

* You think you discovered a
  * potential security vulnerability in `ZITADEL`
  * vulnerability in another project that `ZITADEL` is based on
* For projects with their own vulnerability reporting and disclosure process, please report it directly there

### When should I NOT report a vulnerability

* You need help applying security related updates
* Your issue is not security related

## Security Vulnerability Response

TBD

## Public Disclosure

All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/caos/zitadel/security/advisories).

### Timing

We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00			`# Security Policy`

fix(translations): improved translations (#745) * Updates up to "PROJECT" Capitalisation of headings and buttons using the rules recommended here: https://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html * Spell checking and minor improvements * only deploy docs on master * Improved reference to security repo. * Completed en.json and re-worked de.json up to "VALIDATION". * Re-work up to "MEMBERSHIP" * Completed language strings. * Updates to INVALIDPATTERN. Proposal for the message string in English and German . * Re-work of personal pronouns in German language strings. Changing de.json from "Sie" to "Du" and other improvements. * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update SECURITY.md Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json * Apply suggestions from code review * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/en.json Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2020-09-18 12:47:53 +00:00			`At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.`
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00
			`## Supported Versions`

refactor: Version 1 BREAKING CHANGE: Version 1 2021-04-20 12:04:02 +00:00			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| 1.x.x \| :white_check_mark: \|`
			`\| 0.x.x \| :x: \|`
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00
			`## Reporting a vulnerability`

fix(translations): improved translations (#745) * Updates up to "PROJECT" Capitalisation of headings and buttons using the rules recommended here: https://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html * Spell checking and minor improvements * only deploy docs on master * Improved reference to security repo. * Completed en.json and re-worked de.json up to "VALIDATION". * Re-work up to "MEMBERSHIP" * Completed language strings. * Updates to INVALIDPATTERN. Proposal for the message string in English and German . * Re-work of personal pronouns in German language strings. Changing de.json from "Sie" to "Du" and other improvements. * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update SECURITY.md Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json * Apply suggestions from code review * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/en.json Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2020-09-18 12:47:53 +00:00			`To file an incident, please disclose it by e-mail to security@zitadel.ch including the details of the vulnerability.`
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00
			`At the moment GPG encryption is no yet supported, however you may sign your message at will.`

			`### When should I report a vulnerability`

fix(translations): improved translations (#745) * Updates up to "PROJECT" Capitalisation of headings and buttons using the rules recommended here: https://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html * Spell checking and minor improvements * only deploy docs on master * Improved reference to security repo. * Completed en.json and re-worked de.json up to "VALIDATION". * Re-work up to "MEMBERSHIP" * Completed language strings. * Updates to INVALIDPATTERN. Proposal for the message string in English and German . * Re-work of personal pronouns in German language strings. Changing de.json from "Sie" to "Du" and other improvements. * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update SECURITY.md Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json * Apply suggestions from code review * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/en.json Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2020-09-18 12:47:53 +00:00			`* You think you discovered a`
			* potential security vulnerability in `ZITADEL`
			* vulnerability in another project that `ZITADEL` is based on
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00			`* For projects with their own vulnerability reporting and disclosure process, please report it directly there`

			`### When should I NOT report a vulnerability`

			`* You need help applying security related updates`
			`* Your issue is not security related`

			`## Security Vulnerability Response`

			`TBD`

			`## Public Disclosure`

fix(translations): improved translations (#745) * Updates up to "PROJECT" Capitalisation of headings and buttons using the rules recommended here: https://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html * Spell checking and minor improvements * only deploy docs on master * Improved reference to security repo. * Completed en.json and re-worked de.json up to "VALIDATION". * Re-work up to "MEMBERSHIP" * Completed language strings. * Updates to INVALIDPATTERN. Proposal for the message string in English and German . * Re-work of personal pronouns in German language strings. Changing de.json from "Sie" to "Du" and other improvements. * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update SECURITY.md Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update console/src/assets/i18n/de.json * Apply suggestions from code review * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/de.json * Update console/src/assets/i18n/en.json Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2020-09-18 12:47:53 +00:00			`All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/caos/zitadel/security/advisories).`
docs(readme): security policy (#19) * Create SECURITY.md * Update README.md 2020-03-20 05:30:10 +00:00
			`### Timing`

			We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.