Skip to content

Commit 2f178e0

Browse files
committed
SECURITY.md: add a security policy and point to project-level reporting
It doesn't make sense to contact RedHat security directly unless the issue is in a RedHat product.
1 parent b3bc7da commit 2f178e0

1 file changed

Lines changed: 63 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Security Policy
2+
3+
This document defines the security policy for go-oidc.
4+
5+
## Supported versions
6+
7+
This project supports both the v2 and v3 branches. Do not open issues for the
8+
v1 or master branches.
9+
10+
## Scope
11+
12+
This project prioritizes issues that can cause confusion, DoS, or bypasses in
13+
real-world consumers of go-oidc. Reports should generally point to specific
14+
importers of go-oidc and a Service Provider whose implementation can cause a
15+
negative outcome for the importing project.
16+
17+
This project does not consider validation that could be more stringent a
18+
vulnerability on its own, even if the code doesn't align with recommendations
19+
in the OpenID Connect specification. See the
20+
_["Verify azp claim"][azp-issue]_ issue for an example.
21+
22+
If you aren't sure if your finding qualifies, don't hesitate to reach out
23+
through one of the channels below!
24+
25+
While go-oidc does not run a bug bounty, there are projects that depend on this
26+
repo that do (given the issue impacts that project's use of go-oidc).
27+
28+
- https://kubernetes.io/docs/reference/issues-security/security/
29+
- https://hackerone.com/gitlab
30+
- See: https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc?tab=importedby
31+
32+
[azp-issue]: https://github.com/coreos/go-oidc/issues/355
33+
34+
## Reporting a Vulnerability
35+
36+
**Please do not report security vulnerabilities through public GitHub issues.**
37+
38+
Instead, report them via [GitHub's private vulnerability reporting][report-bug],
39+
or email a maintainer directly (e.g. eric.chiang.m@gmail.com).
40+
41+
Please include as much of the following as you can:
42+
43+
- Type of issue (auth bypass, audience confusion, DoS)
44+
- Affected branch and component
45+
- A reproducer or instructions for the issue
46+
- Project importing go-oidc that could be affected, if relevant
47+
- OpenID Connect Provider (Google, Auth0, Azure, etc.) that could cause the
48+
issue, if relevant
49+
50+
[report-bug]: https://github.com/coreos/go-oidc/security/advisories/new
51+
52+
## Disclosure steps
53+
54+
This project will take the following steps:
55+
56+
- Acknowledge receipt of the report
57+
- Determine severity
58+
- Prepare a fix, commit it to the affected branch, tag a new release
59+
- Publish the GitHub advisory and request a CVE
60+
61+
Note that if the issue is severe, it may require coordination with downstream
62+
projects (e.g. Kubernetes). In these cases, go-oidc reserves the right to adhere
63+
to that project's processes rather than these steps.

0 commit comments

Comments
 (0)