# Security Policy

At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |
| 0.x.x   | :x:                |

## Reporting a vulnerability

To file an incident, please disclose it by e-mail to security@zitadel.ch including the  details of the vulnerability.

At the moment GPG encryption is no yet supported, however you may sign your message at will.

### When should I report a vulnerability

* You think you discovered a
  * potential security vulnerability in `ZITADEL`
  * vulnerability in another project that `ZITADEL` is based on
* For projects with their own vulnerability reporting and disclosure process, please report it directly there

### When should I NOT report a vulnerability

* You need help applying security related updates
* Your issue is not security related

## Security Vulnerability Response

TBD

## Public Disclosure

All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/caos/zitadel/security/advisories).

### Timing

We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.