zitadel/SECURITY.md
Florian Forster 1cbcd57c47
refactor: Version 1
BREAKING CHANGE: Version 1
2021-04-20 14:04:02 +02:00

1.4 KiB

Security Policy

At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.

Supported Versions

Version Supported
1.x.x
0.x.x

Reporting a vulnerability

To file an incident, please disclose it by e-mail to security@zitadel.ch including the details of the vulnerability.

At the moment GPG encryption is no yet supported, however you may sign your message at will.

When should I report a vulnerability

  • You think you discovered a
    • potential security vulnerability in ZITADEL
    • vulnerability in another project that ZITADEL is based on
  • For projects with their own vulnerability reporting and disclosure process, please report it directly there

When should I NOT report a vulnerability

  • You need help applying security related updates
  • Your issue is not security related

Security Vulnerability Response

TBD

Public Disclosure

All accepted and mitigated vulnerabilities will be published on ZITADEL's GitHub Security Page.

Timing

We think it is crucial to publish advisories ASAP as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.