-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update the Coordinated Vulnerability Disclosure and the security charter
Co-authored-by: Stian Thorgersen <[email protected]> Signed-off-by: Bruno Oliveira da Silva <[email protected]>
- Loading branch information
Showing
2 changed files
with
152 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| <#import "/templates/template.ftl" as tmpl> | ||
|
|
||
| <@tmpl.page current="charter" title="Security Charter"> | ||
|
|
||
| <div class="container mt-5 kc-article"> | ||
|
|
||
| <h1>Security Charter</h1> | ||
|
|
||
| <h2>Mission</h2> | ||
| <p>The Keycloak Security Taskforce is committed to enhancing the security of the Keycloak project through continuous improvement of documentation, code, and processes. Our core responsibilities include:</p> | ||
| <ul> | ||
| <li>Proactive triage: rapidly addressing security vulnerabilities reported to Keycloak and ensuring they are resolved promptly and consistently.</li> | ||
| <li>Impact evaluation: assessing the security implications of new and existing features.</li> | ||
| <li>Process enhancement: regularly reviewing and refining security processes to ensure ongoing improvement within the codebase.</li> | ||
| </ul> | ||
|
|
||
| <h2>Teams</h2> | ||
| <h3>Keycloak Security Response Team</h3> | ||
| <p>A dedicated subset of maintainers actively involved in triaging new issues and coordinating with Resolution Teams. The Response Team has full access to all CVEs reported to the project and can add or remove members from Resolution Teams as necessary.</p> | ||
|
|
||
| <h4>Member Nomination Process</h4> | ||
| <ul> | ||
| <li>New members can be nominated by existing maintainers and members of the Keycloak Security Response Team. Members of both teams have a vote in the approval process, and a 2/3 majority is required for approval.</li> | ||
| <li>All nominations must be sent to the Keycloak Security mailing list.</li> | ||
| <li>Members may step down at any time and may nominate a replacement when they do.</li> | ||
| </ul> | ||
|
|
||
| <h4>Responsibilities</h4> | ||
| <ul> | ||
| <li>Remain active and responsive, participating in day-to-day activities.</li> | ||
| <li>Communicate any leave of absence.</li> | ||
| <li>Participate on rotating shifts on a weekly basis.</li> | ||
| <li>Members that have been inactive or not fulfilling their responsibilities for more than three months without advance notice will be removed by vote.</li> | ||
| </ul> | ||
|
|
||
| <h4>Scope</h4> | ||
| <ul> | ||
| <li>Vulnerability triage: managing reports received via the Keycloak security mailing list.</li> | ||
| <li>Coordination: overseeing the response to reported vulnerabilities to ensure compliance with SLA deadlines.</li> | ||
| <li>Process improvement: maintaining and enhancing security measures, such as implementing linters, scanners, fuzzers, and patch managers. Ensuring security is proactively integrated throughout the project.</li> | ||
| </ul> | ||
|
|
||
| <h4>Rotating Shifts</h4> | ||
| <ul> | ||
| <li>Team members take turns being the primary point of contact on a weekly basis.</li> | ||
| <li>The designated person on the shift handles incoming security requests, coordinates responses to incidents, and manages day-to-day security tasks during their shift.</li> | ||
| <li>Other team members will continue to work on security response duties, supporting the person on the shift.</li> | ||
| <li>The Keycloak Security Office weekly meeting hours determine the end of the shift, and the next person on the shift is updated about the status.</li> | ||
| <li>Vacations and PTOs are communicated during the meeting so we can adjust the shift.</li> | ||
| </ul> | ||
|
|
||
| <h3>Keycloak Security Resolution Team</h3> | ||
| <p>Dynamic teams formed by individuals actively involved in triaging or resolving open CVEs. Members are added when they engage with a vulnerability and removed once their involvement concludes.</p> | ||
|
|
||
| <h4>Scope</h4> | ||
| <ul> | ||
| <li>Resolution and testing: ensuring vulnerabilities are effectively fixed and thoroughly tested.</li> | ||
| <li>Collaboration: working with the Response team to prioritize fixes above all other items in the team's backlog, regardless of their nature.</li> | ||
| <li>Release Coordination: collaborating closely with release coordinators and Quality Engineering (QE) teams to include patches in upcoming releases.</li> | ||
| </ul> | ||
|
|
||
| <h2>Access</h2> | ||
| <table border="1" cellpadding="10" cellspacing="5"> | ||
| <thead> | ||
| <tr> | ||
| <th>Resource</th> | ||
| <th>Response Team</th> | ||
| <th>Resolution Team</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody> | ||
| <tr> | ||
| <td><a href="https://groups.google.com/g/keycloak-security">Mailing list</a></td> | ||
| <td>Full access</td> | ||
| <td>Added in CC to specific threads</td> | ||
| </tr> | ||
| <tr> | ||
| <td><a href="https://github.com/keycloak/keycloak-private/">Private GitHub repository</a></td> | ||
| <td>Full access</td> | ||
| <td>Temporary access</td> | ||
| </tr> | ||
| <tr> | ||
| <td><a href="https://github.com/keycloak/keycloak/security">Security advisories and alerts</a></td> | ||
| <td>Full access</td> | ||
| <td>No access</td> | ||
| </tr> | ||
| <tr> | ||
| <td>Slack channel (#alerts-keycloak-cve)</td> | ||
| <td>Full access</td> | ||
| <td>Temporary access</td> | ||
| </tr> | ||
| </tbody> | ||
| </table> | ||
|
|
||
| <h2>Coordinating a Security Vulnerability Fix</h2> | ||
| <ul> | ||
| <li>Identification: the Response Team identifies relevant engineers from affected areas and temporarily includes them in private communication channels (e.g., repositories, email threads), forming a temporary Resolution Team.</li> | ||
| <li>Efficiency: to prevent accidental disclosure, the Resolution Team remains as small as necessary.</li> | ||
| <li>Autonomy: the Resolution Team has the autonomy to involve additional parties such as release coordinators, QE, and documentation teams. Communication with the Response Team is advised when in doubt.</li> | ||
| <li>Access Revocation: post-release, access to sensitive communication channels is revoked to uphold the principle of least privilege.</li> | ||
| </ul> | ||
|
|
||
| <h2>Process Overview</h2> | ||
| <ol> | ||
| <li>A new vulnerability is reported to the Keycloak security mailing list.</li> | ||
| <li>The vulnerability report is triaged.</li> | ||
| <li>A CVE ID is assigned.</li> | ||
| <li>The Response Team identifies the responsible group (e.g., Team A with members Noah and Emma).</li> | ||
| <li>Team A submits the fix to the private repository and includes domain experts for review.</li> | ||
| <li>Team A informs QE and releases coordinators about the forthcoming patch.</li> | ||
| <li>The pull request is merged, and a new release is issued along with official advisories.</li> | ||
| </ol> | ||
| <p>In the absence of CVEs to fix, all team members will have their access revoked to security-sensitive channels except for the Keycloak Security Response Team.</p> | ||
|
|
||
| <p>This charter outlines the approach the Keycloak project takes to manage and mitigate security vulnerabilities, ensuring the integrity and reliability of the project for all users.</p> | ||
|
|
||
| </div> | ||
|
|
||
| </@tmpl.page> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,31 +1,44 @@ | ||
| <#import "/templates/template.ftl" as tmpl> | ||
|
|
||
| <@tmpl.page current="security" title="Security"> | ||
| <@tmpl.page current="security" title="Security Policy"> | ||
|
|
||
| <div class="container mt-5 kc-article"> | ||
| <h1>Security Policy</h1> | ||
| <p><em>This policy is based on the <a href="https://www.cisa.gov/vulnerability-disclosure-policy-template">CISA vulnerability disclosure policy template</a></em></p> | ||
|
|
||
| <h2>Introduction</h2> | ||
| <p>The Keycloak team believes that everyone, everywhere, is entitled to the access and quality information needed to mitigate security and privacy risks. We strive to protect communities of users, contributors, and partners from digital security threats. We believe an <a href="https://www.redhat.com/en/blog/red-hats-open-approach-vulnerability-management">open approach to vulnerability management</a> is the best way to achieve this.</p> | ||
| <p>This policy supports our open approach and is intended to give security researchers clear guidelines for submitting and coordinating discovered vulnerabilities with us. In complying with this policy, you authorize CNCF to work with you to understand and resolve the issue quickly. For more details about our processes, please read the <a href="security-charter.html">security charter</a>.</p> | ||
|
|
||
| <h2>Guidelines</h2> | ||
| <ul> | ||
| <li>Research shared with any Keycloak representatives/individual will be reported to and managed by the Keycloak Security Response Team in order to be officially protected and coordinated.</li> | ||
| <li>Access and visibility to research and all CVE related data will follow the principle of least privilege by all vendors involved.</li> | ||
| <li>Establish and set a reasonable amount of time to resolve the issue before a vulnerability is disclosed publicly; agree and coordinate on public disclosure dates when possible.</li> | ||
| <li>Public disclosure should be prioritized on the need to keep company, government, and individual data confidential and the general public safe.</li> | ||
| <li>All vendors will honor disclosure/embargo requests in good faith as long as all guidelines are met.</li> | ||
| <li>NDA signatures are not required.</li> | ||
| <li>Vendors involved in coordinated disclosure will remain actively involved.</li> | ||
| </ul> | ||
| <p>Violation of these guidelines may result in the individual, or vendor, being added to a denied coordination list.</p> | ||
|
|
||
| <h2>Scope</h2> | ||
| <p>This policy applies to all Keycloak components and projects. Research disclosed to the project will be limited to Response Team members; however, we will assist in coordinating the disclosure of research with upstream open-source communities as needed and requested.</p> | ||
|
|
||
| <h2>Reporting a Suspected Vulnerability</h2> | ||
| <p>Suspected vulnerabilities should be disclosed responsibly and not made public until after analysis and a fix are available. We will acknowledge your report within 7 business days and work with you to confirm the vulnerability's existence and impact. Our goal is to maintain open dialogue during the assessment and remediation process.</p> | ||
|
|
||
| <h3>Supported Versions</h3> | ||
| <p>Depending on the severity of a vulnerability the issue may be fixed in the current <code>major.minor</code> release of Keycloak, or for lower severity vulnerabilities or hardening in the following <code>major.minor</code> release. Refer to <a href="https://www.keycloak.org/downloads">https://www.keycloak.org/downloads</a> to find the latest release.</p> | ||
| <p>If you are unable to regularly upgrade Keycloak we encourage you to consider <a href="https://access.redhat.com/products/red-hat-build-of-keycloak/">Red Hat build of Keycloak</a>, which offers <a href="https://access.redhat.com/support/policy/updates/jboss_notes#p_rhbk">long term support</a> of specific versions of Keycloak.</p> | ||
|
|
||
| <p>The Keycloak team takes security very seriously, and aim to resolve issues as quickly as possible. Building secure software is a continuous process, and can always be improved. As such we welcome reports on potential security vulnerabilities, as well as suggestions around hardening the software and our process.</p> | ||
|
|
||
| <h2>Reporting a suspected vulnerability</h2> | ||
|
|
||
| <p>It is important that suspected vulnerabilities are disclosed in a responsible way, and are not publicly disclosed until after they have been analysed and a fix is available.</p> | ||
|
|
||
| <p>To report a security vulnerability in the Keycloak codebase, send an email to <a href="mailto:[email protected]">[email protected]</a>. Please test against the <b>latest version</b> of Keycloak and include the version affected in your report, provide detailed instructions on how to reproduce the issue with a <a href="https://stackoverflow.com/help/minimal-reproducible-example">minimal an reproducible example</a>, and include your contact information for acknowledgements. If you are reporting known CVEs related to third-party libraries used in Keycloak, please <a href="https://github.com/keycloak/keycloak/issues/new/choose">create a new GitHub issue</a>.</p> | ||
|
|
||
| <p>If you would like to work with us on a fix for the security vulnerability, please include your GitHub username in the above email, and we will provide you access to a temporary private fork where we can collaborate on a fix without it being disclosed publicly.</p> | ||
|
|
||
| <p>Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly. If you discover any publicly disclosed security vulnerabilities, please notify us immediately through <a href="mailto:[email protected]">[email protected]</a>.</p> | ||
| <h3>Coordinated Vulnerability Disclosure</h3> | ||
| <p>To report a security vulnerability in the Keycloak codebase, send an email to <a href="mailto:[email protected]">[email protected]</a>. Please test against the <strong>latest version</strong> of Keycloak, include the affected version in your report, provide detailed instructions on how to reproduce the issue with a <a href="https://stackoverflow.com/help/minimal-reproducible-example">minimal and reproducible example</a>, and include your contact information for acknowledgements. If you are reporting known CVEs related to third-party libraries used in Keycloak, please <a href="https://github.com/keycloak/keycloak/issues/new/choose">create a new GitHub issue</a>.</p> | ||
| <p>If you would like to collaborate on a fix for the security vulnerability, please include your GitHub username in the email, and we will provide you access to a temporary private fork where we can work together.</p> | ||
| <p>If you discover any publicly disclosed security vulnerabilities, please notify us immediately through <a href="mailto:[email protected]">[email protected]</a>.</p> | ||
|
|
||
| <h2>Security Scanners</h2> | ||
|
|
||
| <p>Reports from automated security scanners will <b>not</b> be accepted. These tools often report false positives, and can be disruptive to the project maintainers as it takes a long time to analyse these reports. If you believe you have found a security vulnerability using a security scanner, it is your responsiblity to provide a clear example of the vulnerability and how it could be exploited specifically for Keycloak as outlined above.</p> | ||
|
|
||
| <h2>Supported Versions</h2> | ||
|
|
||
| <p>Depending on the severity of a vulnerability the issue may be fixed in the current <code>major.minor</code> release of Keycloak, or for lower severity vulnerabilities or hardening in the following <code>major.minor</code> release. Refer to <a href="https://www.keycloak.org/downloads">https://www.keycloak.org/downloads</a> to find the latest release.</p> | ||
|
|
||
| <p>If you are unable to regularly upgrade Keycloak we encourage you to consider <a href="https://access.redhat.com/products/red-hat-build-of-keycloak">Red Hat build of Keycloak</a>, which offers <a href="https://access.redhat.com/support/policy/updates/jboss_notes#p_sso">long term support</a> of specific versions of Keycloak.</p> | ||
| <p>Reports from automated security scanners will <strong>not</strong> be accepted. These tools often report false positives, and can be disruptive to the project maintainers as it takes a long time to analyze these reports. If you believe you have found a security vulnerability using a security scanner, it is your responsibility to provide a clear example of the vulnerability and how it could be exploited specifically for Keycloak as outlined above.</p> | ||
| </div> | ||
|
|
||
| </@tmpl.page> |