From f2aa83a7314a08dfdc337acbb711d6840023f2b1 Mon Sep 17 00:00:00 2001 From: Tana M Berry Date: Mon, 11 Dec 2023 15:26:36 -0600 Subject: [PATCH] root: update security policy to include link to cure53 report (#7853) * add links to the cure53 audit results * fix link * link * fighting with Docu * removed link for now * use absolute link --------- Co-authored-by: Tana Berry --- SECURITY.md | 4 ++++ website/docs/security/2023-06-cure53.md | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0d9d6a673..9bb674f23 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,9 @@ authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version. +## Independent audits and pentests + +In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53). + ## What authentik classifies as a CVE CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is: diff --git a/website/docs/security/2023-06-cure53.md b/website/docs/security/2023-06-cure53.md index 3df339e81..55d65d12d 100644 --- a/website/docs/security/2023-06-cure53.md +++ b/website/docs/security/2023-06-cure53.md @@ -1,8 +1,8 @@ # 2023-06 Cure53 Code audit -In May/June of 2023, we've had a Pen-test conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues. +In May/June of 2023, we've had a Pentest conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues. -From the complete report, these are the points we're addressing with this update: +From the [complete report](https://cure53.de/pentest-report_authentik.pdf), these are the points we're addressing with this update: ### ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)