New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Policy #995
Merged
Add Security Policy #995
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Security Disclosures | ||
|
||
Please see [our community docs](https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security) for our security policy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
id: security | ||
title: Security | ||
--- | ||
|
||
:::note | ||
OAuth2 Proxy is a community project. | ||
Maintainers do not work on this project full time, and as such, | ||
while we endeavour to respond to disclosures as quickly as possible, | ||
this may take longer than in projects with corporate sponsorship. | ||
::: | ||
|
||
## Security Disclosures | ||
|
||
:::important | ||
If you believe you have found a vulnerability within OAuth2 Proxy or any of its | ||
dependencies, please do NOT open an issue or PR on GitHub, please do NOT post | ||
any details publicly. | ||
::: | ||
|
||
Security disclosures MUST be done in private. | ||
If you have found an issue that you would like to bring to the attention of the | ||
maintenance team for OAuth2 Proxy, please compose an email and send it to the | ||
list of maintainers in our [MAINTAINERS](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS) file. | ||
|
||
Please include as much detail as possible. | ||
Ideally, your disclosure should include: | ||
- A reproducible case that can be used to demonstrate the exploit | ||
- How you discovered this vulnerability | ||
- A potential fix for the issue (if you have thought of one) | ||
- Versions affected (if not present in master) | ||
- Your GitHub ID | ||
|
||
### How will we respond to disclosures? | ||
|
||
We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) | ||
to privately discuss fixes for disclosed vulnerabilities. | ||
If you include a GitHub ID with your disclosure we will add you as a collaborator | ||
for the advisory so that you can join the discussion and validate any fixes | ||
we may propose. | ||
|
||
For minor issues and previously disclosed vulnerabilities (typically for | ||
dependencies), we may use regular PRs for fixes and forego the security advisory. | ||
|
||
Once a fix has been agreed upon, we will merge the fix and create a new release. | ||
If we have multiple security issues in flight simultaneously, we may delay | ||
merging fixes until all patches are ready. | ||
We may also backport the fix to previous releases, | ||
but this will be at the discretion of the maintainers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
id: security | ||
title: Security | ||
--- | ||
|
||
:::note | ||
OAuth2 Proxy is a community project. | ||
Maintainers do not work on this project full time, and as such, | ||
while we endeavour to respond to disclosures as quickly as possible, | ||
this may take longer than in projects with corporate sponsorship. | ||
::: | ||
|
||
## Security Disclosures | ||
|
||
:::important | ||
If you believe you have found a vulnerability within OAuth2 Proxy or any of its | ||
dependencies, please do NOT open an issue or PR on GitHub, please do NOT post any | ||
details publicly. | ||
::: | ||
|
||
Security disclosures MUST be done in private. | ||
If you have found an issue that you would like to bring to the attention of the | ||
maintenance team for OAuth2 Proxy, please compose an email and send it to the | ||
list of maintainers in our [MAINTAINERS](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS) file. | ||
|
||
Please include as much detail as possible. | ||
Ideally, your disclosure should include: | ||
- A reproducible case that can be used to demonstrate the exploit | ||
- How you discovered this vulnerability | ||
- A potential fix for the issue (if you have thought of one) | ||
- Versions affected (if not present in master) | ||
- Your GitHub ID | ||
|
||
### How will we respond to disclosures? | ||
|
||
We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) | ||
to privately discuss fixes for disclosed vulnerabilities. | ||
If you include a GitHub ID with your disclosure we will add you as a collaborator | ||
for the advisory so that you can join the discussion and validate any fixes | ||
we may propose. | ||
|
||
For minor issues and previously disclosed vulnerabilities (typically for | ||
dependencies), we may use regular PRs for fixes and forego the security advisory. | ||
|
||
Once a fix has been agreed upon, we will merge the fix and create a new release. | ||
If we have multiple security issues in flight simultaneously, we may delay | ||
merging fixes until all patches are ready. | ||
We may also backport the fix to previous releases, | ||
but this will be at the discretion of the maintainers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes they are minor security nice to haves and we decide to use traditional public PRs to collaborate and merge the change.
Do we want to document that decision process of public vs security advisory PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that's worth documenting other than,
if the issue is minor, we may instead use the standard PR flow
, WDYT? What kind of thoughts were you thinking of documenting?