GitHub

Vulnerability Reporting and Handling Process

OrionAuth.jl is committed to maintaining a secure and reliable authentication system. This document describes the process for reporting, handling, and disclosing security vulnerabilities. The process does not involve CVE assignment and is designed for simple and efficient handling via GitHub.

Reporting Vulnerabilities

Security issues should be reported privately and responsibly through the GitHub Security Advisories feature. To report a vulnerability:

  1. Go to the OrionAuth.jl GitHub repository.
  2. Open a new Security Advisory (under the "Security" tab → "Advisories" → "New draft security advisory").
  3. Provide detailed information:
    • Description of the issue.
    • Steps to reproduce (if applicable).
    • Potential impact.
    • Any relevant logs or PoCs (proof of concept).

Reports should not be submitted via issues or pull requests to avoid public disclosure.

Handling and Response Timeline

After receiving a vulnerability report, the maintainers will make best efforts to:

  • Acknowledge receipt within 5 days.
  • Analyze the issue and validate within a reasonable timeframe (usually within 15 days depending on complexity).
  • Develop and test a fix as soon as practical. No guaranteed timeline.
  • Publish a patched release and security advisory once resolved.

Disclosure

Once a fix is available:

  • The security advisory will be updated and made public.
  • A patched release will be published.
  • Clear upgrade instructions and mitigation recommendations (if necessary) will be included.

Limitations

  • No guaranteed response or resolution timelines, but best efforts will always be made.
  • No CVE assignment or external vulnerability database publication.
  • Priority is given to critical and high-impact issues.