root: rework and expand security policy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

# Conflicts:
#	SECURITY.md
This commit is contained in:
Jens Langhammer 2022-11-28 12:10:53 +01:00
parent f3a72761c0
commit f21a196a3b
6 changed files with 97 additions and 53 deletions

View file

@ -17,23 +17,23 @@ diverse, inclusive, and healthy community.
Examples of behavior that contributes to a positive environment for our Examples of behavior that contributes to a positive environment for our
community include: community include:
* Demonstrating empathy and kindness toward other people - Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences - Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback - Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes, - Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience and learning from the experience
* Focusing on what is best not just for us as individuals, but for the - Focusing on what is best not just for us as individuals, but for the
overall community overall community
Examples of unacceptable behavior include: Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or - The use of sexualized language or imagery, and sexual attention or
advances of any kind advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks - Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment - Public or private harassment
* Publishing others' private information, such as a physical or email - Publishing others' private information, such as a physical or email
address, without their explicit permission address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a - Other conduct which could reasonably be considered inappropriate in a
professional setting professional setting
## Enforcement Responsibilities ## Enforcement Responsibilities

View file

@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
[I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question) [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
[What should I know before I get started?](#what-should-i-know-before-i-get-started) [What should I know before I get started?](#what-should-i-know-before-i-get-started)
* [The components](#the-components)
* [authentik's structure](#authentiks-structure) - [The components](#the-components)
- [authentik's structure](#authentiks-structure)
[How Can I Contribute?](#how-can-i-contribute) [How Can I Contribute?](#how-can-i-contribute)
* [Reporting Bugs](#reporting-bugs)
* [Suggesting Enhancements](#suggesting-enhancements) - [Reporting Bugs](#reporting-bugs)
* [Your First Code Contribution](#your-first-code-contribution) - [Suggesting Enhancements](#suggesting-enhancements)
* [Pull Requests](#pull-requests) - [Your First Code Contribution](#your-first-code-contribution)
- [Pull Requests](#pull-requests)
[Styleguides](#styleguides) [Styleguides](#styleguides)
* [Git Commit Messages](#git-commit-messages)
* [Python Styleguide](#python-styleguide) - [Git Commit Messages](#git-commit-messages)
* [Documentation Styleguide](#documentation-styleguide) - [Python Styleguide](#python-styleguide)
- [Documentation Styleguide](#documentation-styleguide)
## Code of Conduct ## Code of Conduct
@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is
authentik consists of a few larger components: authentik consists of a few larger components:
- *authentik* the actual application server, is described below. - _authentik_ the actual application server, is described below.
- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying. - _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend - _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library. - _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
- *website* is the Website/documentation, which uses docusaurus. - _website_ is the Website/documentation, which uses docusaurus.
### authentik's structure ### authentik's structure
@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques
### Git Commit Messages ### Git Commit Messages
* Use the format of `<package>: <verb> <description>` - Use the format of `<package>: <verb> <description>`
- See [here](#authentik-packages) for `package` - See [here](#authentik-packages) for `package`
- Example: `providers/saml2: fix parsing of requests` - Example: `providers/saml2: fix parsing of requests`
* Reference issues and pull requests liberally after the first line - Reference issues and pull requests liberally after the first line
### Python Styleguide ### Python Styleguide
@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),
authentik runs on Python 3.9 at the time of writing this. authentik runs on Python 3.9 at the time of writing this.
* Use native type-annotations wherever possible. - Use native type-annotations wherever possible.
* Add meaningful docstrings when possible. - Add meaningful docstrings when possible.
* Ensure any database migrations work properly from the last stable version (this is checked via CI) - Ensure any database migrations work properly from the last stable version (this is checked via CI)
* If your code changes central functions, make sure nothing else is broken. - If your code changes central functions, make sure nothing else is broken.
### Documentation Styleguide ### Documentation Styleguide
* Use [MDX](https://mdxjs.com/) whenever appropriate. - Use [MDX](https://mdxjs.com/) whenever appropriate.

View file

@ -26,10 +26,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
## Screenshots ## Screenshots
Light | Dark | Light | Dark |
--- | --- | ------------------------------------------------------ | ----------------------------------------------------- |
![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg) | ![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg) |
![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) | ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
## Development ## Development

View file

@ -1,17 +1,43 @@
# Security Policy Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
## Supported Versions ## Supported Versions
(.x being the latest patch release for each version) (.x being the latest patch release for each version)
| Version | Supported | | Version | Supported |
| ---------- | ------------------ | | --------- | ------------------ |
| 2022.9.x | :white_check_mark: |
| 2022.10.x | :white_check_mark: | | 2022.10.x | :white_check_mark: |
| 2022.11.x | :white_check_mark: |
## Reporting a Vulnerability ## Reporting a Vulnerability
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io) To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
## Criticality levels
### High
- Authorization bypass
- Circumvention of policies
### Moderate
- Denial-of-Service attacks
### Low
- Unvalidated redirects
- Issues requiring uncommon setups
## Disclosure process
1. Issue is reported via Email as listed above.
2. The authentik Security team will try to reproduce the issue and ask for more information if required.
3. A criticality level is assigned.
4. A fix is created, and if possible tested by the issue reporter.
5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
7. The fixed version is released for the supported versions.
## Getting security notifications ## Getting security notifications

View file

@ -0,0 +1,5 @@
# Security Policy
import SecurityPolicy from "../../../SECURITY.md";
<SecurityPolicy />

View file

@ -281,5 +281,15 @@ module.exports = {
"troubleshooting/missing_admin_group", "troubleshooting/missing_admin_group",
], ],
}, },
{
type: "category",
label: "Security",
link: {
type: "generated-index",
title: "Security",
slug: "security",
},
items: ["security/policy"],
},
], ],
}; };