Authelia takes security very seriously. We follow the rule of responsible disclosure, and we urge our community to do so as well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.

If you discover a vulnerability in Authelia, please first contact one of the maintainers privately as described in the contact options below.

We urge you not to disclose the bug publicly at least until we've had a reasonable chance to fix it, and to clearly communicate any public disclosure timeline in your initial contact with us. If you do not have a particular public disclosure timeline, we will clearly communicate ours as we publish security advisories.

For more information about security related matters, please read the documentation.

Several contact options exist, it's important to make sure you contact the maintainers privately which is described in each available contact method. The methods include our security email, Matrix, and Discord.

Users who report bugs will optionally be credited for the discovery. Both in the security advisory and in our all contributors configuration/documentation.

1. User privately reports a potential vulnerability.
2. The core team reviews the report and ascertain if additional information is required.
3. The core team reproduces the bug.
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
5. The fix is confirmed to resolve the vulnerability.
6. The fix is released.
7. The security advisory is published sometime after users have had a chance to update.

We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro bono, or funding towards services like these please feel free to contact us on any of the methods above.