oauth2-proxy/docs/community/security/index.html

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-alpha.66">
<title data-react-helmet="true">Security | OAuth2 Proxy</title><meta data-react-helmet="true" name="twitter:card" content="summary_large_image"><meta data-react-helmet="true" name="docusaurus_language" content="en"><meta data-react-helmet="true" name="docusaurus_version" content="7.0.x"><meta data-react-helmet="true" name="docusaurus_tag" content="docs-default-7.0.x"><meta data-react-helmet="true" property="og:title" content="Security | OAuth2 Proxy"><meta data-react-helmet="true" name="description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:description" content="OAuth2 Proxy is a community project."><meta data-react-helmet="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link data-react-helmet="true" rel="shortcut icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-react-helmet="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/community/security"><link rel="stylesheet" href="/oauth2-proxy/styles.58710d0f.css">
<link rel="preload" href="/oauth2-proxy/styles.2e624daf.js" as="script">
<link rel="preload" href="/oauth2-proxy/runtime~main.9f6e668f.js" as="script">
<link rel="preload" href="/oauth2-proxy/main.ff464f14.js" as="script">
<link rel="preload" href="/oauth2-proxy/1.07b9992e.js" as="script">
<link rel="preload" href="/oauth2-proxy/2.cd1a0941.js" as="script">
<link rel="preload" href="/oauth2-proxy/38.f7098cec.js" as="script">
<link rel="preload" href="/oauth2-proxy/40.6add7124.js" as="script">
<link rel="preload" href="/oauth2-proxy/230aeb34.b0a8f7b9.js" as="script">
<link rel="preload" href="/oauth2-proxy/17896441.8a8027b4.js" as="script">
<link rel="preload" href="/oauth2-proxy/f4c9d322.8594a982.js" as="script">
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><div aria-label="Navigation bar toggle" class="navbar__toggle" role="button" tabindex="0"><svg xmlns="http://www.w3.org/2000/svg" width="30" height="30" viewBox="0 0 30 30" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></div><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__item navbar__link" href="/oauth2-proxy/docs/">7.0.x</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/oauth2-proxy/docs/next/community/security">Next</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/community/security">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/community/security">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub</a><div class="react-toggle react-toggle--disabled displayOnlyInLargeViewport_2aTZ"><div class="react-toggle-track"><div class="react-toggle-track-check"><span class="toggle_BsTx">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_BsTx">🌞</span></div></div><div class="react-toggle-thumb"></div><input type="checkbox" disabled="" aria-label="Dark mode toggle" class="react-toggle-screenreader-only"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div><div class="navbar-sidebar"><div class="navbar-sidebar__brand"><a class="navbar__brand" href="/oauth2-proxy/"><img class="navbar__logo" src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy"><strong class="navbar__title">OAuth2 Proxy</strong></a></div><div class="navbar-sidebar__items"><div class="menu"><ul class="menu__list"><li class="menu__list-item"><a aria-current="page" class="menu__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></li><li class="menu__list-item"><a role="button" class="menu__link menu__link--sublist">Versions</a><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/next/community/security">Next</a></li><li class="menu__list-item"><a aria-current="page" class="menu__link menu__link--active" href="/oauth2-proxy/docs/community/security">7.0.x</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/6.1.x/community/security">6.1.x</a></li></ul></li><li class="menu__list-item"><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="menu__link">GitHub</a></li></ul></div></div></div></nav><div class="main-wrapper"><div class="docPage_2gpo"><div class="docSidebarContainer_3_JD" role="complementary"><div class="sidebar_2urC"><div class="menu menu--responsive menu_5FrY"><button aria-label="Open Menu" aria-haspopup="true" class="button button--secondary button--sm menu__button" type="button"><svg aria-label="Menu" class="sidebarMenuIcon_Dm3K" xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 32 32" role="img" focusable="false"><title>Menu</title><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><ul class="menu__list"><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/">Installation</a></li><li class="menu__list-item"><a class="menu__link" href="/oauth2-proxy/docs/behaviour">Behaviour</a></li><li class="menu__list-item"><a class="menu__link menu__link--sublist" href="#!">Configuration</a><ul class="menu__lis
Maintainers do not work on this project full time, and as such,
while we endeavour to respond to disclosures as quickly as possible,
this may take longer than in projects with corporate sponsorship.</p></div></div><h2><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="security-disclosures"></a>Security Disclosures<a aria-hidden="true" tabindex="-1" class="hash-link" href="#security-disclosures" title="Direct link to heading">#</a></h2><div class="admonition admonition-important alert alert--info"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>important</h5></div><div class="admonition-content"><p>If you believe you have found a vulnerability within OAuth2 Proxy or any of its
dependencies, please do NOT open an issue or PR on GitHub, please do NOT post
any details publicly.</p></div></div><p>Security disclosures MUST be done in private.
If you have found an issue that you would like to bring to the attention of the
maintenance team for OAuth2 Proxy, please compose an email and send it to the
list of maintainers in our <a href="https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS" target="_blank" rel="noopener noreferrer">MAINTAINERS</a> file.</p><p>Please include as much detail as possible.
Ideally, your disclosure should include:</p><ul><li>A reproducible case that can be used to demonstrate the exploit</li><li>How you discovered this vulnerability</li><li>A potential fix for the issue (if you have thought of one)</li><li>Versions affected (if not present in master)</li><li>Your GitHub ID</li></ul><h3><a aria-hidden="true" tabindex="-1" class="anchor enhancedAnchor_2cZh" id="how-will-we-respond-to-disclosures"></a>How will we respond to disclosures?<a aria-hidden="true" tabindex="-1" class="hash-link" href="#how-will-we-respond-to-disclosures" title="Direct link to heading">#</a></h3><p>We use <a href="https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories" target="_blank" rel="noopener noreferrer">GitHub Security Advisories</a>
to privately discuss fixes for disclosed vulnerabilities.
If you include a GitHub ID with your disclosure we will add you as a collaborator
for the advisory so that you can join the discussion and validate any fixes
we may propose.</p><p>For minor issues and previously disclosed vulnerabilities (typically for
dependencies), we may use regular PRs for fixes and forego the security advisory.</p><p>Once a fix has been agreed upon, we will merge the fix and create a new release.
If we have multiple security issues in flight simultaneously, we may delay
merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.</p></div></article><div class="margin-vert--xl"><div class="row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-7.0.x/community/security.md" target="_blank" rel="noreferrer noopener"><svg fill="currentColor" height="1.2em" width="1.2em" preserveAspectRatio="xMidYMid meet" viewBox="0 0 40 40" style="margin-right:0.3em;vertical-align:sub"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div></div></div><div class="margin-vert--lg"><nav class="pagination-nav" aria-label="Blog list page navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/oauth2-proxy/docs/features/request_signatures"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« Request Signatures</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div></div><div class="col col--3"><div class="tableOfContents_3SO_"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#security-disclosures" class="table-of-contents__link">Security Disclosures</a><ul><li><a href="#how-will-we-respond-to-disclosures" class="table-of-contents__link">How will we respond to disclosures?</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container"><div class="text--center"><div>Copyright © 2021 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/styles.2e624daf.js"></script>
<script src="/oauth2-proxy/runtime~main.9f6e668f.js"></script>
<script src="/oauth2-proxy/main.ff464f14.js"></script>
<script src="/oauth2-proxy/1.07b9992e.js"></script>
<script src="/oauth2-proxy/2.cd1a0941.js"></script>
<script src="/oauth2-proxy/38.f7098cec.js"></script>
<script src="/oauth2-proxy/40.6add7124.js"></script>
<script src="/oauth2-proxy/230aeb34.b0a8f7b9.js"></script>
<script src="/oauth2-proxy/17896441.8a8027b4.js"></script>
<script src="/oauth2-proxy/f4c9d322.8594a982.js"></script>
</body>
</html>