-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathsecurity.html
More file actions
173 lines (153 loc) · 14.8 KB
/
Copy pathsecurity.html
File metadata and controls
173 lines (153 loc) · 14.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
<!doctype html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-0J2P9316N6"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-0J2P9316N6');
</script>
<meta charset="utf-8"/>
<title>Security Policy - Keycloak</title>
<meta name="twitter:card" content="summary_large">
<meta name="twitter:site" content="@keycloak">
<meta property="og:site_name" content="Keycloak">
<meta property="og:title" content="Security Policy">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" property="og:description" content="Learn how to report suspected vulnerabilities or other security related information to the Keycloak team.">
<meta name="author" content="Keycloak Team">
<meta name="keywords" content="sso,idm,openid connect,saml,kerberos,ldap">
<link href="https://www.keycloak.org/resources/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
<link href="https://www.keycloak.org/resources/@fortawesome/fontawesome-free/css/all.min.css" rel="stylesheet">
<link href="https://www.keycloak.org/resources/css/keycloak.css" rel="stylesheet">
<link rel="canonical" href="https://www.keycloak.org/security">
<meta property="og:url" content="https://www.keycloak.org/security">
<link rel="icon" type="image/x-icon" href="https://www.keycloak.org/resources/favicon.ico">
<link rel="icon" type="image/vnd.microsoft.icon" href="https://www.keycloak.org/resources/favicon.ico">
<link rel="icon" type="image/svg+xml" href="https://www.keycloak.org/resources/favicon.svg"></head>
<body>
<div class="bg-primary text-center py-2 px-3" data-nosnippet>
<a class="link-light text-decoration-none small" href="https://events.linuxfoundation.org/kubecon-cloudnativecon-japan/co-located-events/keycloakcon/">
Join us at KeycloakCon Japan 2026, colocated with KubeCon Japan 2026 · July 28 · <span class="fw-semibold text-decoration-underline">Register Today →</span>
</a>
</div>
<header class="navbar navbar-expand-md bg-light shadow-sm">
<nav class="container-xxl flex-wrap flex-md-no-wrap navbar-light" data-nosnippet>
<a class="navbar-brand me-3 me-md-4 me-lg-5" href="https://www.keycloak.org/">
<img style="aspect-ratio: 730/151" class="img-fluid" src="https://www.keycloak.org/resources/images/logo.svg" width="240" alt="Keycloak"/>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarCollapse">
<ul class="navbar-nav nav-underline mx-auto flex-row flex-wrap bd-navbar-nav pt-2 py-md-0 gap-md-3">
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/guides">Guides</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/documentation">Docs</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/downloads">Downloads</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/community">Community</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/blog">Blog</a>
</li>
</ul>
<a class="d-none d-lg-block" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
</div>
<div class="d-block d-sm-none d-md-block d-lg-none text-center vw-100">
<a class="nav-link d-inline p-0" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
</div>
</nav>
</header>
<div class="container mt-5 kc-article">
<h1>Security Policy</h1>
<p><em>This policy is based on the <a href="https://www.cisa.gov/vulnerability-disclosure-policy-template">CISA vulnerability disclosure policy template</a></em></p>
<h2>Introduction</h2>
<p>The Keycloak team believes that everyone, everywhere, is entitled to access to the quality information needed to mitigate security and privacy risks. We strive to protect communities of users, contributors, and partners from digital security threats. We believe an <a href="https://www.redhat.com/en/blog/red-hats-open-approach-vulnerability-management">open approach to vulnerability management</a> is the best way to achieve this.</p>
<p>This policy supports our open approach and is intended to give security researchers clear guidelines for submitting and coordinating discovered vulnerabilities with us. In complying with this policy, you authorize CNCF to work with you to understand and resolve the issue quickly. For more details about our processes, please read the <a href="security-charter.html">security charter</a>.</p>
<h2>Guidelines</h2>
<ul>
<li>Research shared with any Keycloak representatives/individual will be reported to and managed by the Keycloak Security Response Team in order to be officially protected and coordinated.</li>
<li>Access and visibility to research and all CVE related data will follow the principle of least privilege by all vendors involved.</li>
<li>All parties involved must establish a reasonable amount of time to resolve the issue before a vulnerability is disclosed publicly and, when possible, agree on and coordinate public disclosure dates.</li>
<li>Public disclosure should be prioritized on the need to keep company, government, and individual data confidential and the general public safe.</li>
<li>All vendors will honor disclosure/embargo requests in good faith as long as all guidelines are met.</li>
<li>NDA signatures are not required.</li>
<li>Vendors involved in coordinated disclosure will remain actively involved.</li>
</ul>
<p>Violation of these guidelines may result in the individual, or vendor, being added to a denied coordination list.</p>
<h2>AI-Assisted Reports</h2>
<p>We recognize AI as a valuable tool for security research and welcome reports where AI was used to help identify vulnerabilities. However, AI-assisted reports must meet the following requirements:</p>
<ul>
<li><strong>Validate before submitting.</strong> You are responsible for verifying that the vulnerability is real and reproducible. Unvalidated AI output submitted as-is will be rejected.</li>
<li><strong>Disclose AI usage.</strong> Clearly state in your report that AI tools were used in the discovery or writing of the report.</li>
<li><strong>Understand your findings.</strong> You must be able to explain the vulnerability, its impact, and the reproduction steps in your own words. If we follow up with questions, we expect informed answers — not further AI-generated responses pasted without review.</li>
<li><strong>One finding per report.</strong> Do not submit bulk or batch reports containing multiple unrelated findings. Each vulnerability must be reported individually as outlined in the reporting steps below.</li>
</ul>
<p>Reports that are clearly unreviewed AI output — such as those containing generic descriptions, hallucinated endpoints, or findings that do not apply to Keycloak — will be rejected without further analysis.</p>
<h2>Scope</h2>
<p>This policy applies to all Keycloak components and projects. Research disclosed to the project will be limited to Response Team members; however, we will assist in coordinating the disclosure of research with upstream open-source communities as needed and requested.</p>
<h2>Reporting a Suspected Vulnerability</h2>
<p>Suspected vulnerabilities should be disclosed responsibly and not made public until after analysis and a fix are available. We will acknowledge your report within 7 business days and work with you to confirm the vulnerability's existence and impact. Our goal is to maintain open dialogue during the assessment and remediation process.</p>
<h3>Supported Versions</h3>
<p>Depending on the severity of a vulnerability, the issue may be fixed in the current <code>major.minor</code> release of Keycloak, or for lower severity vulnerabilities or hardening in the following <code>major.minor</code> release. Refer to <a href="https://www.keycloak.org/downloads">https://www.keycloak.org/downloads</a> to find the latest release.</p>
<p>If you are unable to regularly upgrade Keycloak, we encourage you to consider <a href="https://access.redhat.com/products/red-hat-build-of-keycloak/">Red Hat build of Keycloak</a>, which offers <a href="https://access.redhat.com/support/policy/updates/red_hat_build_of_keycloak_notes">long term support</a> of specific versions of Keycloak.</p>
<h3>Experimental Features</h3>
<p>While we welcome bug reports against features that are not released yet, the security team usually does not issue CVEs for experimental features. The preview state marks that the feature is mature enough to start normal security handling.</p>
<p>Instead, those issues will be managed as regular bugs publicly. If in doubt, report your finding via email to the security team first to clarify if it is related to an experimental feature. </p>
<h3>Coordinated Vulnerability Disclosure</h3>
<p>If you are reporting known CVEs related to third-party libraries used in Keycloak, <a href="https://github.com/keycloak/keycloak/issues/new/choose">create a new GitHub issue</a>.</p>
<p>If you discover a Keycloak security vulnerability that has been accidentally disclosed publicly, notify us immediately through <a href="mailto:keycloak-security@googlegroups.com">keycloak-security@googlegroups.com</a>.</p>
<p>If you are a <b>security researcher</b> and want to report a security vulnerability in the Keycloak codebase, follow these steps:</p>
<ol>
<li>Test against the <a href="https://www.keycloak.org/downloads">latest released version</a> of Keycloak and include the affected version in your report.</li>
<li>Provide detailed instructions on how to reproduce the issue with a <a href="https://stackoverflow.com/help/minimal-reproducible-example">minimal and reproducible example.</a></li>
<li>Show clear evidence of exploitation, preferably as pasted log output or text. Screenshots or videos may be attached if needed. We will reject reports based on static scanners or AI without a proof-of-concept.</li>
<li>Include your contact information for acknowledgements. See "Attribution Policy" below for details.</li>
<li>Submit each finding individually to allow a separate discussion thread with our triage team.</li>
<li>Submit your report as plain text in the email body. Avoid attachments; if necessary, limit them to screenshots, videos, or reproducers (e.g., scripts or configuration files). Other attachments delay our triage process and may be returned.</li>
<li>Pick a descriptive subject for the mail matching the reported finding.</li>
<li>Email your report to <a href="mailto:keycloak-security@googlegroups.com">keycloak-security@googlegroups.com</a>.</li>
</ol>
<p>If you are a <b>user of Keycloak</b> and want to report a security concern, follow these steps:</p>
<ol>
<li>Identify the Keycloak version affected. Ideally, verify with the <a href="https://www.keycloak.org/downloads">latest released version</a> of Keycloak.</li>
<li>If available, provide detailed instructions on how to reproduce the issue with a <a href="https://stackoverflow.com/help/minimal-reproducible-example">minimal and reproducible example.</a></li>
<li>If available, provide log files or screenshots.</li>
<li>Include your contact information for acknowledgements. See "Attribution Policy" below for details.</li>
<li>Submit each finding individually to allow a separate discussion thread with our triage team.</li>
<li>Submit your report as plain text in the email body. Avoid attachments; if necessary, limit them to screenshots, videos, or reproducers (e.g., scripts or configuration files). Other attachments delay our triage process and may be returned.</li>
<li>Pick a descriptive subject for the mail matching the reported finding.</li>
<li>Email your report to <a href="mailto:keycloak-security@googlegroups.com">keycloak-security@googlegroups.com</a>.</li>
</ol>
<h3>Attribution Policy</h3>
<p>We will credit reporters who informed us in private about security vulnerabilities in security advisories.</p>
<p>The attribution can contain the name, alias, company, group affiliation, and GitHub username of the reporter. We will not include email addresses or links.</p>
<h3>Bug Bounty</h3>
<p>There is currently no active bug bounty.</p>
<!--
<p>We are currently offering a bug bounty program. It is both time- and budget restricted, and can change at any time.</p>
<p>Security researchers who wish to participate in our dedicated vulnerability reward program should refer to <a href="https://yeswehack.com/programs/keycloak-bug-bounty-program">the Bug Bounty Program's platform</a> for submissions and details.</p>
-->
<h2>Security Scanners</h2>
<p>Raw output from automated security scanners will <strong>not</strong> be accepted. These tools often report false positives and processing unvalidated reports is disruptive to project maintainers. If a security scanner identifies a potential issue, it is your responsibility to triage the finding and provide a clear proof-of-concept demonstrating how it could be exploited specifically in Keycloak.</p>
</div>
<div class="container mt-5" data-nosnippet>
<footer class="py-3 my-4 border-top">
<p class="text-center text-muted">Keycloak is a Cloud Native Computing Foundation incubation project</p>
<div class="text-center">
<img style="aspect-ratio: 300/48" alt="Cloud Native Computing Foundation" src="https://www.keycloak.org/resources/images/cncf_logo.png" loading="lazy"/>
</div>
<p class="mt-4 text-center small text-muted">© Keycloak Authors 2026. © 2026 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage">Trademark Usage page</a>.</p>
</footer>
</div>
<script src="https://www.keycloak.org/resources/bootstrap/dist/js/bootstrap.min.js" type="text/javascript"></script>
<script src="https://www.keycloak.org/resources/tocbot/dist/tocbot.min.js" type="text/javascript"></script>
</body>
</html>