docs: update security policies (#5452)

* docs(legal): vulnerability disclosure policy * update security.md * exception * add link to sidebar * Apply suggestions from code review Co-authored-by: Florian Forster <florian@zitadel.com> * use main for release channel * review * fallback emails * typos, wording --------- Co-authored-by: Florian Forster <florian@zitadel.com>
2025-01-05 14:37:45 +00:00 · 2023-03-16 09:52:12 +02:00 · 2023-03-16 09:52:12 +02:00 · 52dc8431ab
commit 52dc8431ab
parent f0e0191c7b
3 changed files with 137 additions and 22 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,41 +1,59 @@
 # Security Policy

-At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
+## Introduction

-## Supported Versions
+At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community.
+All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us.

-| Version | Supported          |
-| ------- | ------------------ |
-| 2.x.x   | :white_check_mark: |
-| 1.x.x   | :white_check_mark: |
-| 0.x.x   | :x:                |
+We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk.
+
+## Scope
+
+The scope of this policy applies to all security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel).
+
+Out of scope are all websites and services operated by ZITADEL (CAOS Ltd.).
+Please refer to the separate [vulnerability disclosure policy](https://zitadel.com/docs/legal/vulnerability-disclosure-policy).
+
+### Supported Versions
+
+Supported are releases that are newer and not older than 6 months from our stable release
+https://github.com/zitadel/zitadel/blob/main/release-channels.yaml#L1

 ## Reporting a vulnerability

-To file an incident, please disclose it by e-mail to security@zitadel.com including the  details of the vulnerability.
+To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability:
+
+- Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe)
+- Type: For example DoS, authentication bypass, information disclosure, broken authorization, ...
+- Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made
+- URL / Location (optional): The URL of the vulnerability
+- Contact details (optional): In case we should contact you on a different channel

 At the moment GPG encryption is no yet supported, however you may sign your message at will.

-### When should I report a vulnerability
+Your email will be acknowledged within 48 hours.
+We will follow-up within the next 3 business days indicating next steps in handling your report.

-* You think you discovered a
-  * potential security vulnerability in `ZITADEL`
-  * vulnerability in another project that `ZITADEL` is based on
-* For projects with their own vulnerability reporting and disclosure process, please report it directly there
+If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com).
+
+Please inform us in your report whether we should mention your contribution.
+We will not publish this information by default to protect your privacy.

 ### When should I NOT report a vulnerability

-* You need help applying security related updates
-* Your issue is not security related
+- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
+- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
+- You need help applying security related settings

-## Security Vulnerability Response
+## Disclosure Process

-TBD
+Our security team will follow the disclosure process: 

-## Public Disclosure
-
-All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/zitadel/zitadel/security/advisories).
-
-### Timing
+1. We will acknowledge the receipt of your vulnerability report
+2. Our security team will try to verify, reproduce, and determine the impact of your report
+3. A member of our team will respond to either confirm or reject your report, including an explanation
+4. Code will be audited to assess if the report uncovers similar issues
+5. Fixes are prepared for the latest release
+6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions.

 We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.
--- a/docs/docs/legal/vulnerability-disclosure-policy.mdx
+++ b/docs/docs/legal/vulnerability-disclosure-policy.mdx
@ -0,0 +1,96 @@
+---
+title: Vulnerability Disclosure Policy
+custom_edit_url: null
+--- 
+
+## Introduction
+
+At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community.
+All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us.
+
+We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk.
+
+ZITADEL (CAOS Ltd.) will not take legal action against you or terminate your access to our services, conditional that you report vulnerabilities in accordance to this policy.
+
+## Scope
+
+The scope of this policy applies to all Websites and Services operated by ZITADEL.
+
+All security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel), should be reported according to [Security Policy](https://github.com/zitadel/zitadel/blob/main/SECURITY.md).
+
+When in doubt about the scope of your vulnerability, please follow the process outlined in this policy.
+
+## Discovering a vulnerability
+
+Responsible security research on our Websites, Products, and Services is encouraged and we allow you to conduct testing on our services to which you have authorized access.
+
+You must not do research or testing that involves
+
+- Any activity that violates applicable law
+- Modify or destroy any data that does not belong to you
+- Accessing or attempt to access data that does not belong to you
+- Executing denial of service attacks
+- Executing load testing
+
+Exceptions may be granted after your initial report by a member of our security team.
+
+## Reporting a vulnerability
+
+To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability:
+
+- Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe)
+- Type: For example DoS, authentication bypass, information disclosure, broken authorization, ...
+- Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made
+- URL / Location (optional): The URL of the vulnerability
+- Contact details (optional): In case we should contact you on a different channel
+
+At the moment GPG encryption is no yet supported, however you may sign your message at will.
+
+Your email will be acknowledged within 48 hours.
+We will follow-up within the next 3 business days indicating next steps in handling your report.
+
+If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com).
+
+Please inform us in your report whether we should mention your contribution.
+We will not publish this information by default to protect your privacy.
+
+### What not to report
+
+- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
+- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
+- Suggestions on Certificate Authority Authorization (CAA) rules
+- Suggestions on DMARC/DKIM/SPF settings
+- Suggestions on DNSSEC settings
+- Phishing or Social Engineering Attacks
+- Lack of security flags on non-sensitive cookies
+
+## Disclosure Process
+
+Our security team will follow the disclosure process:
+
+1. We will acknowledge the receipt of your vulnerability report
+2. Our security team will try to verify, reproduce, and determine the impact of your report
+3. A member of our team will respond to either confirm or reject your report, including an explanation
+4. Code will be audited to assess if the report uncovers similar issues
+5. Fixes are prepared for the latest release
+6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions.
+
+We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.
+
+## Bug Bounty / Compensation
+
+At this moment, we do not pay out monetary compensation for reporting security vulnerabilities.
+
+Please inform us in your report whether we should mention your contribution.
+We will not publish this information by default to protect your privacy.
+
+In case we have confirmed your report, we may compensate you, given prior written approval by ZITADEL, for costs
+
+- incurred during research for using our paid services
+- on time & material spend on analysis after confirming your report
+
+## Entry into force
+
+This privacy policy is valid from March 16, 2023.
+
+Last revised March 16, 2023
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -451,6 +451,7 @@ module.exports = {
        "legal/privacy-policy",
        "legal/acceptable-use-policy",
        "legal/rate-limit-policy",
+        "legal/vulnerability-disclosure-policy",
      ],
    },
  ],