|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +This document defines the security policy for go-oidc. |
| 4 | + |
| 5 | +## Supported versions |
| 6 | + |
| 7 | +This project supports both the v2 and v3 branches. Do not open issues for the |
| 8 | +v1 or master branches. |
| 9 | + |
| 10 | +## Scope |
| 11 | + |
| 12 | +This project prioritizes issues that can cause confusion, DoS, or bypasses in |
| 13 | +real-world consumers of go-oidc. Reports should generally point to specific |
| 14 | +importers of go-oidc and a Service Provider whose implementation can cause a |
| 15 | +negative outcome for the importing project. |
| 16 | + |
| 17 | +This project does not consider validation that could be more stringent a |
| 18 | +vulnerability on its own, even if the code doesn't align with recommendations |
| 19 | +in the OpenID Connect specification. See the |
| 20 | +_["Verify azp claim"][azp-issue]_ issue for an example. |
| 21 | + |
| 22 | +If you aren't sure if your finding qualifies, don't hesitate to reach out |
| 23 | +through one of the channels below! |
| 24 | + |
| 25 | +While go-oidc does not run a bug bounty, there are projects that depend on this |
| 26 | +repo that do (given the issue impacts that project's use of go-oidc). |
| 27 | + |
| 28 | +- https://kubernetes.io/docs/reference/issues-security/security/ |
| 29 | +- https://hackerone.com/gitlab |
| 30 | +- See: https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc?tab=importedby |
| 31 | + |
| 32 | +[azp-issue]: https://github.com/coreos/go-oidc/issues/355 |
| 33 | + |
| 34 | +## Reporting a Vulnerability |
| 35 | + |
| 36 | +**Please do not report security vulnerabilities through public GitHub issues.** |
| 37 | + |
| 38 | +Instead, report them via [GitHub's private vulnerability reporting][report-bug], |
| 39 | +or email a maintainer directly (e.g. eric.chiang.m@gmail.com). |
| 40 | + |
| 41 | +Please include as much of the following as you can: |
| 42 | + |
| 43 | +- Type of issue (auth bypass, audience confusion, DoS) |
| 44 | +- Affected branch and component |
| 45 | +- A reproducer or instructions for the issue |
| 46 | +- Project importing go-oidc that could be affected, if relevant |
| 47 | +- OpenID Connect Provider (Google, Auth0, Azure, etc.) that could cause the |
| 48 | + issue, if relevant |
| 49 | + |
| 50 | +[report-bug]: https://github.com/coreos/go-oidc/security/advisories/new |
| 51 | + |
| 52 | +## Disclosure steps |
| 53 | + |
| 54 | +This project will take the following steps: |
| 55 | + |
| 56 | +- Acknowledge receipt of the report |
| 57 | +- Determine severity |
| 58 | +- Prepare a fix, commit it to the affected branch, tag a new release |
| 59 | +- Publish the GitHub advisory and request a CVE |
| 60 | + |
| 61 | +Note that if the issue is severe, it may require coordination with downstream |
| 62 | +projects (e.g. Kubernetes). In these cases, go-oidc reserves the right to adhere |
| 63 | +to that project's processes rather than these steps. |
0 commit comments