root: update security policy to include link to cure53 report (#7853)
* add links to the cure53 audit results * fix link * link * fighting with Docu * removed link for now * use absolute link --------- Co-authored-by: Tana Berry <tana@goauthentik.io>
This commit is contained in:
parent
1fccbaa693
commit
f2aa83a731
|
@ -1,5 +1,9 @@
|
|||
authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
|
||||
|
||||
## Independent audits and pentests
|
||||
|
||||
In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
|
||||
|
||||
## What authentik classifies as a CVE
|
||||
|
||||
CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# 2023-06 Cure53 Code audit
|
||||
|
||||
In May/June of 2023, we've had a Pen-test conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues.
|
||||
In May/June of 2023, we've had a Pentest conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues.
|
||||
|
||||
From the complete report, these are the points we're addressing with this update:
|
||||
From the [complete report](https://cure53.de/pentest-report_authentik.pdf), these are the points we're addressing with this update:
|
||||
|
||||
### ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)
|
||||
|
||||
|
|
Reference in a new issue