docs: update security policies (#5452)

* docs(legal): vulnerability disclosure policy * update security.md * exception * add link to sidebar * Apply suggestions from code review Co-authored-by: Florian Forster <florian@zitadel.com> * use main for release channel * review * fallback emails * typos, wording --------- Co-authored-by: Florian Forster <florian@zitadel.com>
2025-01-07 07:17:39 +00:00 · 2023-03-16 09:52:12 +02:00 · 2023-03-16 09:52:12 +02:00 · 52dc8431ab
commit 52dc8431ab
parent f0e0191c7b
3 changed files with 137 additions and 22 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,41 +1,59 @@
 # Security Policy
-At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
+## Introduction
-## Supported Versions
+At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community.
 All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us.
-| Version | Supported          |
+We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk.
-| ------- | ------------------ |
+
-| 2.x.x   | :white_check_mark: |
+## Scope
-| 1.x.x   | :white_check_mark: |
+
-| 0.x.x   | :x:                |
+The scope of this policy applies to all security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel).
 Out of scope are all websites and services operated by ZITADEL (CAOS Ltd.).
 Please refer to the separate [vulnerability disclosure policy](https://zitadel.com/docs/legal/vulnerability-disclosure-policy).
 ### Supported Versions
 Supported are releases that are newer and not older than 6 months from our stable release
 https://github.com/zitadel/zitadel/blob/main/release-channels.yaml#L1
 ## Reporting a vulnerability
-To file an incident, please disclose it by e-mail to security@zitadel.com including the  details of the vulnerability.
+To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability:
 - Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe)
 - Type: For example DoS, authentication bypass, information disclosure, broken authorization, ...
 - Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made
 - URL / Location (optional): The URL of the vulnerability
 - Contact details (optional): In case we should contact you on a different channel
 At the moment GPG encryption is no yet supported, however you may sign your message at will.
-### When should I report a vulnerability
+Your email will be acknowledged within 48 hours.
 We will follow-up within the next 3 business days indicating next steps in handling your report.
-* You think you discovered a
+If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com).
-  * potential security vulnerability in `ZITADEL`
+
-  * vulnerability in another project that `ZITADEL` is based on
+Please inform us in your report whether we should mention your contribution.
-* For projects with their own vulnerability reporting and disclosure process, please report it directly there
+We will not publish this information by default to protect your privacy.
 ### When should I NOT report a vulnerability
-* You need help applying security related updates
+- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
-* Your issue is not security related
+- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
 - You need help applying security related settings
-## Security Vulnerability Response
+## Disclosure Process
-TBD
+Our security team will follow the disclosure process: 
-## Public Disclosure
+1. We will acknowledge the receipt of your vulnerability report
-
+2. Our security team will try to verify, reproduce, and determine the impact of your report
-All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/zitadel/zitadel/security/advisories).
+3. A member of our team will respond to either confirm or reject your report, including an explanation
-
+4. Code will be audited to assess if the report uncovers similar issues
-### Timing
+5. Fixes are prepared for the latest release
 6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions.
 We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.
--- a/docs/docs/legal/vulnerability-disclosure-policy.mdx
+++ b/docs/docs/legal/vulnerability-disclosure-policy.mdx
@ -0,0 +1,96 @@
 ---
 title: Vulnerability Disclosure Policy
 custom_edit_url: null
 --- 
 ## Introduction
 At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community.
 All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us.
 We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk.
 ZITADEL (CAOS Ltd.) will not take legal action against you or terminate your access to our services, conditional that you report vulnerabilities in accordance to this policy.
 ## Scope
 The scope of this policy applies to all Websites and Services operated by ZITADEL.
 All security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel), should be reported according to [Security Policy](https://github.com/zitadel/zitadel/blob/main/SECURITY.md).
 When in doubt about the scope of your vulnerability, please follow the process outlined in this policy.
 ## Discovering a vulnerability
 Responsible security research on our Websites, Products, and Services is encouraged and we allow you to conduct testing on our services to which you have authorized access.
 You must not do research or testing that involves
 - Any activity that violates applicable law
 - Modify or destroy any data that does not belong to you
 - Accessing or attempt to access data that does not belong to you
 - Executing denial of service attacks
 - Executing load testing
 Exceptions may be granted after your initial report by a member of our security team.
 ## Reporting a vulnerability
 To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability:
 - Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe)
 - Type: For example DoS, authentication bypass, information disclosure, broken authorization, ...
 - Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made
 - URL / Location (optional): The URL of the vulnerability
 - Contact details (optional): In case we should contact you on a different channel
 At the moment GPG encryption is no yet supported, however you may sign your message at will.
 Your email will be acknowledged within 48 hours.
 We will follow-up within the next 3 business days indicating next steps in handling your report.
 If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com).
 Please inform us in your report whether we should mention your contribution.
 We will not publish this information by default to protect your privacy.
 ### What not to report
 - Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
 - DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
 - Suggestions on Certificate Authority Authorization (CAA) rules
 - Suggestions on DMARC/DKIM/SPF settings
 - Suggestions on DNSSEC settings
 - Phishing or Social Engineering Attacks
 - Lack of security flags on non-sensitive cookies
 ## Disclosure Process
 Our security team will follow the disclosure process:
 1. We will acknowledge the receipt of your vulnerability report
 2. Our security team will try to verify, reproduce, and determine the impact of your report
 3. A member of our team will respond to either confirm or reject your report, including an explanation
 4. Code will be audited to assess if the report uncovers similar issues
 5. Fixes are prepared for the latest release
 6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions.
 We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.
 ## Bug Bounty / Compensation
 At this moment, we do not pay out monetary compensation for reporting security vulnerabilities.
 Please inform us in your report whether we should mention your contribution.
 We will not publish this information by default to protect your privacy.
 In case we have confirmed your report, we may compensate you, given prior written approval by ZITADEL, for costs
 - incurred during research for using our paid services
 - on time & material spend on analysis after confirming your report
 ## Entry into force
 This privacy policy is valid from March 16, 2023.
 Last revised March 16, 2023
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -451,6 +451,7 @@ module.exports = {
        "legal/privacy-policy",
        "legal/acceptable-use-policy",
        "legal/rate-limit-policy",
        "legal/vulnerability-disclosure-policy",
      ],
    },
  ],