From 86e354dd3ad202f6224d9501d40ee5675ea907a1 Mon Sep 17 00:00:00 2001 From: ndom91 Date: Fri, 10 May 2024 15:00:24 +0200 Subject: [PATCH] chore(docs): add security.txt --- docs/public/.well-known/security.txt | 31 ++++++++++++++++++++++++++++ docs/vercel.json | 5 +++++ 2 files changed, 36 insertions(+) create mode 100644 docs/public/.well-known/security.txt diff --git a/docs/public/.well-known/security.txt b/docs/public/.well-known/security.txt new file mode 100644 index 0000000000..e9c259de96 --- /dev/null +++ b/docs/public/.well-known/security.txt @@ -0,0 +1,31 @@ +Contact: mailto:info@balazsorban.com +Contact: mailto:hi@thvu.dev +Contact: mailto:authjs-security@ndo.dev +Acknowledgments: https://authjs.dev/security +Preferred-Languages: en +Canonical: https://authjs.dev/.well-known/security.txt + +# Security Policy + +NextAuth.js practices responsible disclosure. + +## Reporting a Vulnerability + +We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js. + +If you contact us regarding a serious issue: + +- We will endeavor to get back to you within 72 hours. +- We will aim to publish a fix within 30 days. +- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released. +- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly. + +The best way to report an issue is by contacting us via email at hi@thvu.dev, info@balazsorban.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.) + +> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these publicly as bug reports or feature requests or to raise a question to open a discussion around them. + +## Supported Versions + +Security updates are only released for the current version. + +Old releases are not maintained and do not receive updates. diff --git a/docs/vercel.json b/docs/vercel.json index c3296f0939..b90828fe9c 100644 --- a/docs/vercel.json +++ b/docs/vercel.json @@ -12,6 +12,11 @@ } ], "redirects": [ + { + "source": "/security.txt", + "destination": "/.well-known/security.txt", + "permanent": true + }, { "source": "/new/provider-issue", "destination": "https://github.com/nextauthjs/next-auth/issues/new?assignees=&labels=triage%2Cproviders&template=2_bug_provider.yml",