Skip to content

Revise security vulnerability reporting instructions #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Dredsen wants to merge 1 commit into
base: main
Choose a base branch
from
+49 −1
Open

Revise security vulnerability reporting instructions #853

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,52 @@ It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/re

## Reporting a Vulnerability

Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.

Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.

Or send me an email at <security@tinyauth.app>.

### A note on AI-assisted reports

If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.

When submitting a report, please use the structure below so it can be triaged quickly.

---

### 1. Summary

A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).

### 2. Steps to Reproduce / Proof of Concept

Provide a minimal, reliable reproduction:

1. Step one
2. Step two
3. Step three

Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.

### 3. Expected vs. Actual Behaviour

- **Expected:** what *should* happen
- **Actual:** what *does* happen, and why it's a security issue

### 4. Suggested Fix or Mitigation *(optional)*

If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.

- **Have you tested this fix?** Yes / No
- **If yes,** briefly describe how it was tested and what was verified.

---

## What to Expect

- **Acknowledgement** within a reasonable timeframe after receiving your report
- **Updates** as the issue is investigated and addressed
- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous

We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.