# Security Policy At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. ## Supported Versions | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | | 0.x.x | :x: | ## Reporting a vulnerability To file an incident, please disclose it by e-mail to security@zitadel.ch including the details of the vulnerability. At the moment GPG encryption is no yet supported, however you may sign your message at will. ### When should I report a vulnerability * You think you discovered a * potential security vulnerability in `ZITADEL` * vulnerability in another project that `ZITADEL` is based on * For projects with their own vulnerability reporting and disclosure process, please report it directly there ### When should I NOT report a vulnerability * You need help applying security related updates * Your issue is not security related ## Security Vulnerability Response TBD ## Public Disclosure All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/zitadel/zitadel/security/advisories). ### Timing We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.