Kernia is authentication infrastructure. We take security reports seriously and appreciate responsible disclosure.
Kernia is pre-1.0. Security fixes land on main and ship in the next release.
Until 1.0, only the latest released minor receives fixes.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Do not open a public issue for security vulnerabilities.
Report privately via GitHub's private vulnerability reporting (Security → Advisories → Report a vulnerability), or email security@advantch.com.
Please include:
- A description of the vulnerability and its impact.
- Steps to reproduce (a minimal
KerniaOptionsconfig + request sequence is ideal). - The affected package(s) and version(s).
- Any suggested remediation.
We aim to acknowledge reports within 3 business days and to ship a fix or a mitigation plan within 30 days for confirmed high-severity issues.
In scope:
- The
kerniacore and all first-partykernia-*packages in this repository. - Cryptographic handling: cookie signing, password hashing (argon2id/scrypt), OAuth state/PKCE, JWT/JWKS issuance and verification, OAuth-token-at-rest encryption, WebAuthn attestation/assertion verification, SAML signature validation.
- Session lifecycle, CSRF / trusted-origins enforcement, rate limiting.
Out of scope:
- The
examples/reference app (demonstration only; uses an in-memory adapter and a hardcoded dev secret — never deploy it as-is). - Vulnerabilities that require a misconfiguration explicitly warned against in the docs (e.g. disabling CSRF, shipping the dev secret).
Operators should:
- Set a strong, rotated
secret(usekernia secret); see secret rotation. - Keep
trusted_originstight and leave the default CSRF check on. - Enable
account.encrypt_oauth_tokenswhen storing third-party tokens. - Run behind HTTPS so
Securecookies are honoured. - Pin Kernia and its adapters to known-good versions and watch releases.