Skip to content

Security: OpenIDC/mod_auth_openidc

SECURITY.md

Security Policy

Supported Versions

Version Supported
2.4.x
< 2.4.0

Reporting a Vulnerability

Please send an e-mail to support@openidc.com with a description of:

  • a brief description of the vulnerability
  • how the vulnerability can be observed
  • optionally the type of vulnerability and any related OWASP category
  • non-destructive exploitation details

Followup

After submitting your vulnerability report, you will receive an acknowledgement reply usually within 24 working hours of your report being received.

The team will triage the reported vulnerability, and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity.

When the reported vulnerability is resolved, or remediation work is scheduled, the Support team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.

You are particularly invited to give us feedback on the disclosure handling process, the clarity and quality of the communication relationship, and of course the effectiveness of the vulnerability resolution. This feedback will be used in strict confidence to help us improve our processes for handling reports, developing services, and resolving vulnerabilities.

Where a report qualifies, we will offer to include you on our thanks and acknowledgement page. We will ask you to confirm the details you want included before they are published.

Learn more about advisories related to OpenIDC/mod_auth_openidc in the GitHub Advisory Database