42 lines
No EOL
1.5 KiB
Markdown
42 lines
No EOL
1.5 KiB
Markdown
# Security Policy
|
||
|
||
At @caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
|
||
|
||
## Supported Versions
|
||
|
||
After the initial Release the following version support will aplly
|
||
|
||
| Version | Supported |
|
||
| ------- | ------------------ |
|
||
| 1.x.x | :white_check_mark: (note yet available) |
|
||
| 0.x.x | :x: |
|
||
|
||
## Reporting a vulnerability
|
||
|
||
To file a incident, please disclose by email to security@caos.ch with the security details.
|
||
|
||
At the moment GPG encryption is no yet supported, however you may sign your message at will.
|
||
|
||
### When should I report a vulnerability
|
||
|
||
* You think you discovered a ...
|
||
* ... potential security vulnerability in the SDK
|
||
* ... vulnerability in another project that this SDK bases on
|
||
* For projects with their own vulnerability reporting and disclosure process, please report it directly there
|
||
|
||
### When should I NOT report a vulnerability
|
||
|
||
* You need help applying security related updates
|
||
* Your issue is not security related
|
||
|
||
## Security Vulnerability Response
|
||
|
||
TBD
|
||
|
||
## Public Disclosure
|
||
|
||
All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/oidc/security/advisories)
|
||
|
||
### Timing
|
||
|
||
We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days. |