Reporting vulnerabilities

TL;DR — Use GitHub Private Vulnerability Reporting for anything you’d rather not disclose in a public issue. Acknowledgment within 48 hours, initial assessment within 5 business days, fix within 7 days for critical / 14 days for high. In-scope covers auth bypass, token forgery, DPoP-proof bypass, token-exchange privilege escalation, and the standard OWASP categories. Out-of-scope: DoS (unless < 10 requests trigger it), social engineering, upstream dependency issues, self-hosted misconfiguration.

How to report

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub Private Vulnerability Reporting: github.com/authplane/authserver/security/advisories/new.

This ensures:

  • Your report stays confidential — visible only to maintainers.
  • Coordinated disclosure — we can ship a fix before public disclosure.
  • You get credit for responsible disclosure (unless you prefer anonymity).

For any of the language SDKs, the equivalent private reporting is at:

What to include

  • Description — what the vulnerability is
  • Steps to reproduce or proof-of-concept
  • Affected versions — release tags or commit SHAs
  • Impact assessment — what an attacker could do
  • Suggested mitigation (optional)

Response timeline

StageSLA
Acknowledgmentwithin 48 hours
Initial assessmentwithin 5 business days
Critical fix< 7 days
High fix< 14 days
Public disclosureafter fix is released + downstream users given migration window

What’s in scope

  • Authentication bypass — OAuth flow, PKCE, client authentication
  • Token forgery, replay, or privilege escalation
  • Cryptographic weaknesses — signing, encryption, key management
  • Injection — SQL, template, header, log-injection
  • Sensitive data exposure — tokens, secrets, keys in logs or responses
  • DPoP proof bypass or binding issues (RFC 9449 §4.3, §7.1)
  • Token exchange authorization bypass (RFC 8693 §4.1)
  • Cross-site attacks — CSRF, XSS on consent / login pages
  • CIMD document validation flaws (draft-ietf-oauth-client-id-metadata-document)
  • Broker/upstream credential leakage

What’s out of scope

  • Denial of service — unless a single or a handful (< 10) of requests trigger it, DoS reports are out of scope. Rate limiting is a hardening topic, not a vulnerability.
  • Social engineering — anything requiring user interaction to work around correctly-implemented protocol.
  • Issues in dependencies — report upstream (to the dependency’s maintainer). Notify us so we can update.
  • Self-hosted misconfiguration — documenting the correct config is preferable to filing an advisory (open a docs issue instead).
  • Missing security headers on unauthenticated endpoints — file as a hardening request.
  • Physical access attacks — treat as out of AuthPlane’s control.

Coordinated disclosure

We follow standard coordinated disclosure practice:

  1. You report privately.
  2. We acknowledge within 48 hours.
  3. We work with you to reproduce and patch.
  4. We backport the fix to supported release lines.
  5. We publish a security advisory with credit to the reporter (unless you request anonymity).
  6. We notify high-severity subscribers via the GitHub security-alerts feed on the affected repository.

If you plan to publish research, coordinate the disclosure date with us so downstream users can upgrade first. We aim to give at least 7 days after the release before you go public.

Supported versions

Only the latest minor release receives security patches. If you’re on a version older than the current stable minor, upgrade first.

Track releases at github.com/authplane/authserver/releases.

Security-relevant design docs

For context on what the design is supposed to defend against: