|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +pk-auth is an authentication library, so security reports are taken seriously |
| 4 | +and handled with priority. Thank you for helping keep it and its users safe. |
| 5 | + |
| 6 | +## Supported versions |
| 7 | + |
| 8 | +Fixes land on the latest published `1.x` line. Maven Central and npm releases |
| 9 | +are immutable, so a security fix ships as a new patch (or minor) release rather |
| 10 | +than a re-publish of an affected version — upgrade to the latest release to pick |
| 11 | +it up. |
| 12 | + |
| 13 | +| Version | Supported | |
| 14 | +| ------------------ | ------------------ | |
| 15 | +| Latest `1.x` release | :white_check_mark: | |
| 16 | +| Older `1.x` releases | Fix only via the next release | |
| 17 | +| `0.x` (pre-stable) | :x: | |
| 18 | + |
| 19 | +The browser SDK (`@pk-auth/passkeys-browser`) shares the same version line as |
| 20 | +the JVM artifacts and follows the same support window. |
| 21 | + |
| 22 | +## Reporting a vulnerability |
| 23 | + |
| 24 | +**Please do not open a public issue, pull request, or discussion for a |
| 25 | +suspected vulnerability.** Public disclosure before a fix is available puts |
| 26 | +downstream users at risk. |
| 27 | + |
| 28 | +Use one of these private channels instead: |
| 29 | + |
| 30 | +1. **GitHub private vulnerability reporting (preferred).** On the repository, |
| 31 | + go to the **Security** tab → **Report a vulnerability**, or open |
| 32 | + <https://github.com/codeheadsystems/pk-auth/security/advisories/new>. This |
| 33 | + creates a private advisory thread visible only to you and the maintainers. |
| 34 | +2. **Email.** Send details to **ned.wolpert@gmail.com** with `pk-auth security` |
| 35 | + in the subject line. |
| 36 | + |
| 37 | +Please include, as far as you can: |
| 38 | + |
| 39 | +- The affected module(s) and version (e.g. `pk-auth-core 1.3.0`). |
| 40 | +- A description of the issue and its impact (what an attacker can do). |
| 41 | +- Steps to reproduce — a minimal proof of concept, failing test, or request |
| 42 | + sequence is ideal. |
| 43 | +- Any relevant configuration (adapter, persistence backend, SPI implementations). |
| 44 | + |
| 45 | +## What to expect |
| 46 | + |
| 47 | +- **Acknowledgement** within **3 business days**. |
| 48 | +- An initial assessment (severity, affected versions, whether it reproduces) |
| 49 | + within **10 business days**. |
| 50 | +- We aim to ship a fix within **90 days** of triage and will keep you updated on |
| 51 | + progress. Complex issues may take longer; we will say so. |
| 52 | +- We follow **coordinated disclosure**: we ask that you keep the report private |
| 53 | + until a fix is released and a GitHub Security Advisory is published. We are |
| 54 | + happy to credit you in the advisory unless you prefer to remain anonymous. |
| 55 | + |
| 56 | +## Scope |
| 57 | + |
| 58 | +This policy covers the pk-auth library, its three host adapters |
| 59 | +(`pk-auth-spring-boot-starter`, `pk-auth-dropwizard`, `pk-auth-micronaut`), the |
| 60 | +wire contract, and the browser SDK in this repository. |
| 61 | + |
| 62 | +It does **not** cover the responsibilities a host application retains — TLS, |
| 63 | +network ingress, secrets management, and the authorization layer above |
| 64 | +authentication. See [`docs/threat-model.md`](docs/threat-model.md) for the |
| 65 | +trust boundaries and STRIDE analysis, and [`docs/stability.md`](docs/stability.md) |
| 66 | +for the SPI versioning and stability guarantees. |
| 67 | + |
| 68 | +> **Maturity note.** As stated in the repository README, this project's code is |
| 69 | +> AI-generated and has not undergone a formal third-party security review unless |
| 70 | +> a note in the repository says otherwise. Evaluate it accordingly before |
| 71 | +> production use. |
0 commit comments