This document sets out the security policy and procedures for the SimpleID project.
Security patches will be provided for the following versions:
- 1.x
If you discover a vulnerability in SimpleID, keep it confidential. Do not disclose the vulnerability to anyone before the advisory is issued.
You can provide details of the vulnerability in the following ways:
- Create a vulnerability report on GitHub. If you are reading this page on GitHub you can click the green button on the top right-hand side of this page to create a vulnerability report.
- Provide details of the vulnerability direct to kmo-at-users.sourceforge.net.
Do not use the regular GitHub issue system.
At a minimum, your report should include:
- the version of SimpleID, and your hosting environment
- the steps required to reproduce the problem
- any other information which you think would be useful in diagnosing the problem
If you know how to fix the problem or a temporary workaround, include it in the report.
We will acknowledge your report as soon as we can. We will use reasonable endeavours to keep you informed while we investigate and create a fix. We may ask you for additional information or guidance as part of our investigation.
Some issue take time to correct and the process may involve a review of the code for similar problems.
When a fix is ready, an advisory urging users to upgrade is published. If the vulnerability is discovered for the first time, you will be credited in the advisory.
Report security bugs in third-party modules to the person or team maintaining the module.
If you have suggestions on how this process could be improved please submit a pull request.