Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 26 additions & 14 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,40 @@

## Supported Versions

Kratos is in early development. Security fixes are currently applied to the
latest code on `main` and the most recent published release once releases
exist.

| Version | Supported |
| --- | --- |
| `main` | Yes |
| Latest release | Yes |
| Older releases | No |
Kratos security support starts with the v1.0 release line. Security fixes are
prepared on the default development branch, `master`, and released through the
supported release lines below.

| Version or branch | Supported | Policy |
| --- | --- | --- |
| `master` | Yes | Default development branch for unreleased security fixes. |
| Latest release | Yes | Newest published stable release. |
| Current major | Yes | Supported release line sharing the latest stable major version, such as `1.x` for v1.0. |
| Older releases | No | Earlier major versions and pre-v1.0 releases are unsupported unless maintainers announce an exception. |

Definitions:

- Latest release means the newest stable GitHub release or tag published from
`master`.
- Current major means the active stable major release line that contains the
latest release. For v1.0, this is the `1.x` line.
- Older releases means pre-v1.0 releases and any major release line older than
the current major. Upgrade to the latest supported release before requesting
a security fix.

## Reporting a Vulnerability

Please do not report security vulnerabilities in public GitHub issues,
discussions, or pull requests.

If GitHub Private Vulnerability Reporting is enabled for this repository, use
that channel first.
that channel first. It is the preferred way to share vulnerability details with
the maintainers.

If private reporting is not available yet, open a minimal public issue that
does **not** include exploit details and request a private contact channel from
the maintainers. Keep proof-of-concept code, payloads, and reproduction steps
private until a secure channel is established.
If Private Vulnerability Reporting is not available, open a minimal public
issue that does **not** include exploit details and request a private contact
channel from the maintainers. Keep proof-of-concept code, payloads, and
reproduction steps private until a secure channel is established.

When reporting a vulnerability, please include:

Expand Down
Loading