Authelia takes security very seriously. We follow the rule of responsible disclosure, and we urge our community to do so as well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via Matrix, Discord, or email as described in the contact options below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For more information about security related matters, please read the documentation.
Join the Matrix Space which includes both the Support Room and the Contributing Room. You can check the members list for one of the core team members who are identified as administrators in the rooms and space, alternatively you can just ask for one of the core team members in one of the rooms. Once you've made contact with a core team member we ask you privately message them to divulge the vulnerability.
Join the Discord Server and message the #support or #contributing channels which link to Matrix and contact a core team member. Once you've made contact with a core team member we ask you privately message them to divulge the vulnerability.
You can contact any of the core team members for security vulnerability related issues by emailing [email protected]. This email is strictly reserved for security and vulnerability disclosure related matters. If you need to contact us for any other reason please use [email protected] or another contact option.
Users who report bugs will optionally be creditted for the discovery. Both in the security advisory and in our all contributors configuration.
- User privately reports a potential vulnerability.
- The core team reviews the report and ascertain if additional information is required.
- The core team reproduces the bug.
- The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
- The fix is confirmed to resolve the vulnerability.
- The fix is released.
- The security advisory is published sometime after users have had a chance to update.
We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits related to improving the security of Authelia. If your company or you personally are willing to offer discounts, pro bono, or funding towards services like these please feel free to contact us on any of the methods above.