stianst
Stian Thorgersen
parent
b17f0695ee
commit
89a5710b04
1 changed files with 25 additions and 21 deletions
46
SECURITY.md
46
SECURITY.md
|
|
@ -1,26 +1,30 @@
|
||||||
# Security Policy
|
# Security Policy
|
||||||
|
|
||||||
|
The Keycloak team takes security very seriously, and aim to resolve issues as quickly as possible. Building secure
|
||||||
|
software is a continuous process, and can always be improved. As such we welcome reports on potential security
|
||||||
|
vulnerabilities, as well as suggestions around hardening the software and our process.
|
||||||
|
|
||||||
|
## Reporting a suspected vulnerability
|
||||||
|
|
||||||
|
It is important that suspected vulnerabilities are disclosed in a responsible way, and are not publicly disclosed until
|
||||||
|
after they have been analysed and a fix is available.
|
||||||
|
|
||||||
|
To report a security vulnerability, send an email to keycloak-security@googlegroups.com.
|
||||||
|
|
||||||
|
If you would like to work with us on a fix for the security vulnerability, please include your GitHub username
|
||||||
|
in the above email, and we will provide you access to a temporary private fork where we can collaborate on a fix
|
||||||
|
without it being disclosed publicly.
|
||||||
|
|
||||||
|
Do *not* open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly.
|
||||||
|
If you discover any publicly disclosed security vulnerabilities, please notify us *immediately* through
|
||||||
|
keycloak-security@googlegroups.com.
|
||||||
|
|
||||||
## Supported Versions
|
## Supported Versions
|
||||||
|
|
||||||
To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Keycloak.
|
Depending on the severity of a vulnerability the issue may be fixed in the current `major.minor` release of Keycloak, or
|
||||||
See https://www.keycloak.org/downloads for the latest release.
|
for lower severity vulnerabilities or hardening in the following `major.minor` release. Refer to
|
||||||
|
`https://www.keycloak.org/downloads` to find the latest release.
|
||||||
|
|
||||||
Fixes will only be released for previous releases under special circumstances.
|
If you are unable to regularly upgrade Keycloak we encourage you to consider
|
||||||
|
[Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on), which offers
|
||||||
## Reporting a Vulnerability
|
[long term support](https://access.redhat.com/support/policy/updates/jboss_notes#p_sso) of specific versions of Keycloak.
|
||||||
|
|
||||||
To report a security vulnerability:
|
|
||||||
|
|
||||||
You can report a security vulnerability either through email, or in our issue tracker. If you are uncertain what you have
|
|
||||||
discovered is a vulnerability or you believe it is a critical issue please report using email (or both).
|
|
||||||
|
|
||||||
To report through email send an email to keycloak-security@googlegroups.com.
|
|
||||||
|
|
||||||
To report through issue tracker:
|
|
||||||
|
|
||||||
* Go to https://issues.jboss.org/browse/KEYCLOAK
|
|
||||||
* Create a new issue in the Keycloak project
|
|
||||||
* Make sure the "This issue is security relevant" checkbox is checked
|
|
||||||
|
|
||||||
If you have a patch for the issue please use `git format-patch` and attach to the email or issue. Please do not open a
|
|
||||||
pull request on GitHub as that may disclose sensitive details around the vulnerability.
|
|
||||||
Loading…
Reference in a new issue