Reporting vulnerabilities
TL;DR — Use GitHub Private Vulnerability Reporting for anything you’d rather not disclose in a public issue. Acknowledgment within 48 hours, initial assessment within 5 business days, fix within 7 days for critical / 14 days for high. In-scope covers auth bypass, token forgery, DPoP-proof bypass, token-exchange privilege escalation, and the standard OWASP categories. Out-of-scope: DoS (unless < 10 requests trigger it), social engineering, upstream dependency issues, self-hosted misconfiguration.
How to report
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub Private Vulnerability Reporting: github.com/authplane/authserver/security/advisories/new.
This ensures:
- Your report stays confidential — visible only to maintainers.
- Coordinated disclosure — we can ship a fix before public disclosure.
- You get credit for responsible disclosure (unless you prefer anonymity).
For any of the language SDKs, the equivalent private reporting is at:
- Python: github.com/AuthPlane/python-sdk/security/advisories/new
- TypeScript: github.com/AuthPlane/ts-sdk/security/advisories/new
- Go: github.com/AuthPlane/go-sdk/security/advisories/new
What to include
- Description — what the vulnerability is
- Steps to reproduce or proof-of-concept
- Affected versions — release tags or commit SHAs
- Impact assessment — what an attacker could do
- Suggested mitigation (optional)
Response timeline
What’s in scope
- Authentication bypass — OAuth flow, PKCE, client authentication
- Token forgery, replay, or privilege escalation
- Cryptographic weaknesses — signing, encryption, key management
- Injection — SQL, template, header, log-injection
- Sensitive data exposure — tokens, secrets, keys in logs or responses
- DPoP proof bypass or binding issues (RFC 9449 §4.3, §7.1)
- Token exchange authorization bypass (RFC 8693 §4.1)
- Cross-site attacks — CSRF, XSS on consent / login pages
- CIMD document validation flaws (draft-ietf-oauth-client-id-metadata-document)
- Broker/upstream credential leakage
What’s out of scope
- Denial of service — unless a single or a handful (< 10) of requests trigger it, DoS reports are out of scope. Rate limiting is a hardening topic, not a vulnerability.
- Social engineering — anything requiring user interaction to work around correctly-implemented protocol.
- Issues in dependencies — report upstream (to the dependency’s maintainer). Notify us so we can update.
- Self-hosted misconfiguration — documenting the correct config is preferable to filing an advisory (open a docs issue instead).
- Missing security headers on unauthenticated endpoints — file as a hardening request.
- Physical access attacks — treat as out of AuthPlane’s control.
Coordinated disclosure
We follow standard coordinated disclosure practice:
- You report privately.
- We acknowledge within 48 hours.
- We work with you to reproduce and patch.
- We backport the fix to supported release lines.
- We publish a security advisory with credit to the reporter (unless you request anonymity).
- We notify high-severity subscribers via the GitHub security-alerts feed on the affected repository.
If you plan to publish research, coordinate the disclosure date with us so downstream users can upgrade first. We aim to give at least 7 days after the release before you go public.
Supported versions
Only the latest minor release receives security patches. If you’re on a version older than the current stable minor, upgrade first.
Track releases at github.com/authplane/authserver/releases.
Security-relevant design docs
For context on what the design is supposed to defend against:
- Security: Threat model — 16 named threats + mitigations
- Security: Token design — why 15-min JWTs, opaque refresh, mandatory rotation
- Security: DPoP — RFC 9449 depth
- Security: Key management — signing key lifecycle
Related
- Security: Threat model
- SECURITY.md in authserver repo — source of the policy above
- Per-SDK
SECURITY.md: Python · TypeScript · Go