Certainly! Below is a SECURITY.md file similar to what is typically used by SPIFFE/SPIRE, outlining the security practices and reporting guidelines for your project.
If you discover a security vulnerability in the spire-conjur-jwtauth project, we encourage you to report it responsibly. Please do not disclose the vulnerability publicly until it has been resolved. Here’s how you can report it:
- Email: Please send an email to [[email protected]] with detailed information regarding the vulnerability.
- Include the following details:
- A description of the issue and its potential impact.
- Steps to reproduce the vulnerability.
- Any proof of concept (POC) that demonstrates the issue.
- Include the following details:
- Response Time: We aim to acknowledge and respond to all vulnerability reports within 48 hours, and we will work to provide a resolution timeline as soon as possible.
- PGP Key: If possible, use a PGP key to encrypt your email. You can find the PGP public key for secure communication at PGP Key.
Security updates will be provided for the following versions of the spire-conjur-jwtauth plugin:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Only the latest stable version will receive security updates. Please make sure you are using the latest version to keep your deployment secure.
To ensure that your use of spire-conjur-jwtauth is secure, consider the following best practices:
- Update Regularly: Always use the latest stable version of this plugin to receive the latest security patches and fixes.
- Limit Access: Restrict access to SPIRE plugins to trusted administrators only.
- Monitoring: Monitor logs for any unusual activity to identify possible exploitation attempts.
- This plugin relies on SPIRE for workload attestation and identity management. Ensure your SPIRE Server and Agent are configured according to best security practices.
- The plugin does not store any sensitive data locally. However, ensure that the environment where the plugin runs is secure to prevent any unauthorized access.
To protect the community, the spire-conjur-jwtauth project follows a responsible disclosure process:
- Initial Notification: When a vulnerability is reported, we will validate and confirm it.
- Internal Fix: Once validated, we will work on a fix internally. During this time, details of the vulnerability will be kept private.
- Patch Release: A patched release will be made as soon as possible.
- Public Disclosure: Once the patch is available, details of the vulnerability will be disclosed publicly, along with recommendations for mitigating the issue.
If you have any questions about our security policy or procedures, feel free to contact us at [[email protected]].
We value the work of security researchers and appreciate your help in responsibly reporting vulnerabilities. If you choose to report a vulnerability, we request that you:
- Allow us time to mitigate the issue before publicly disclosing the details.
- Avoid exploiting the vulnerability beyond the scope required to validate its existence.
We are committed to acknowledging contributions from researchers in a timely manner and giving credit where it is due.