cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/SECURITY.md
Tim Möhlmann 0c50229fad chore: update remaining 2.11 references to 2.12
2024-01-05 18:45:00 +02:00

2.1 KiB
Raw Permalink Blame History

Security Policy

At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.

Supported Versions

We currently support the following version of the OIDC framework:

Version Supported Branch Details
0.x.x not maintained
<2.12 not maintained
2.12.x 🔒 ⚠️ 2.12.x security only, community effort
3.x.x ✔️ main supported
4.0.0-xx next [development branch]

Reporting a vulnerability

To file a incident, please disclose by email to security@zitadel.com with the security details.

At the moment GPG encryption is no yet supported, however you may sign your message at will.

When should I report a vulnerability

  • You think you discovered a ...
    • ... potential security vulnerability in the SDK
    • ... vulnerability in another project that this SDK bases on
  • For projects with their own vulnerability reporting and disclosure process, please report it directly there

When should I NOT report a vulnerability

  • You need help applying security related updates
  • Your issue is not security related

Security Vulnerability Response

TBD

Public Disclosure

All accepted and mitigated vulnerabilities will be published on the Github Security Page

Timing

We think it is crucial to publish advisories ASAP as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.