From 095b5bfc7866bd69db5be3e2d4df7f79ed1edf00 Mon Sep 17 00:00:00 2001 From: authentik-db-cooper <128407735+authentik-db-cooper@users.noreply.github.com> Date: Wed, 12 Jul 2023 06:56:37 -0600 Subject: [PATCH] root: Update security policy (#6222) * Update security md * update supported versions Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer Co-authored-by: Jens Langhammer --- SECURITY.md | 50 +++++++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e2d565212..3a02de671 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,44 +1,48 @@ -authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version. +authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version. + +## What authentik classifies as a CVE + +CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is: + +“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” + +If it is determined that the issue does qualify as a CVE, a CVE number will be issued to the reporter from GitHub. + +Even if the issue is not a CVE, we still greatly appreciate your help in hardening authentik. ## Supported Versions (.x being the latest patch release for each version) -| Version | Supported | -| --------- | ------------------ | -| 2023.4.x | :white_check_mark: | -| 2023.5.x | :white_check_mark: | +| Version | Supported | +| --- | --- | +| 2023.5.x | ✅ | +| 2023.6.x | ✅ | ## Reporting a Vulnerability -To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug. +To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the issue. -## Criticality levels +## Severity levels -### High +authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories: -- Authorization bypass -- Circumvention of policies - -### Moderate - -- Denial-of-Service attacks - -### Low - -- Unvalidated redirects -- Issues requiring uncommon setups +| 0.0 | None | +| 0.1 – 3.9 | Low | +| 4.0 – 6.9 | Medium | +| 7.0 – 8.9 | High | +| 9.0 – 10.0 | Critical | ## Disclosure process -1. Issue is reported via Email as listed above. +1. Report from Github or Issue is reported via Email as listed above. 2. The authentik Security team will try to reproduce the issue and ask for more information if required. -3. A criticality level is assigned. +3. A severity level is assigned. 4. A fix is created, and if possible tested by the issue reporter. 5. The fix is backported to other supported versions, and if possible a workaround for other versions is created. -6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix +6. An announcement is sent out with a fixed release date and severity level of the issue. The announcement will be sent at least 24 hours before the release of the security fix. 7. The fixed version is released for the supported versions. ## Getting security notifications -To get security notifications, subscribe to the mailing list [here](https://groups.google.com/g/authentik-security-announcements) or join the [discord](https://goauthentik.io/discord) server. +To get security notifications, subscribe to the mailing list [here](https://groups.google.com/g/authentik-security-announcements) or join the [discord](https://goauthentik.io/discord) server.