Skip to main content

Vulnerability Disclosure Policy

Last updated on March 16, 2023

At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us.

We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk.

ZITADEL (CAOS Ltd.) will not take legal action against you or terminate your access to our services, conditional that you report vulnerabilities in accordance to this policy.

Scope​

The scope of this policy applies to all Websites and Services operated by ZITADEL.

All security issues that concern our Product in form of Software in our open source repositories, should be reported according to Security Policy.

When in doubt about the scope of your vulnerability, please follow the process outlined in this policy.

Discovering a vulnerability​

Responsible security research on our Websites, Products, and Services is encouraged and we allow you to conduct testing on our services to which you have authorized access.

You must not do research or testing that involves

  • Any activity that violates applicable law
  • Modify or destroy any data that does not belong to you
  • Accessing or attempt to access data that does not belong to you
  • Executing denial of service attacks
  • Executing load testing

Exceptions may be granted after your initial report by a member of our security team.

Reporting a vulnerability​

To file an incident, please disclose it by e-mail to security@zitadel.com including the following details of the vulnerability:

  • Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe)
  • Type: For example DoS, authentication bypass, information disclosure, broken authorization, ...
  • Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made
  • URL / Location (optional): The URL of the vulnerability
  • Contact details (optional): In case we should contact you on a different channel

At the moment GPG encryption is no yet supported, however you may sign your message at will.

Your email will be acknowledged within 48 hours. We will follow-up within the next 3 business days indicating next steps in handling your report.

If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact support@zitadel.com.

Please inform us in your report whether we should mention your contribution. We will not publish this information by default to protect your privacy.

What not to report​

  • Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
  • DoS of users when Lockout Policy is enabled
  • Suggestions on Certificate Authority Authorization (CAA) rules
  • Suggestions on DMARC/DKIM/SPF settings
  • Suggestions on DNSSEC settings
  • Phishing or Social Engineering Attacks
  • Lack of security flags on non-sensitive cookies

Disclosure Process​

Our security team will follow the disclosure process:

  1. We will acknowledge the receipt of your vulnerability report
  2. Our security team will try to verify, reproduce, and determine the impact of your report
  3. A member of our team will respond to either confirm or reject your report, including an explanation
  4. Code will be audited to assess if the report uncovers similar issues
  5. Fixes are prepared for the latest release
  6. On the date that the fixes are applied, we will create a CVE and publish a security advisory. Affected users of our Product, Services, or Website will be informed of the fix and required actions.

We think it is crucial to publish advisories ASAP as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.

Bug Bounty / Compensation​

At this moment, we do not pay out monetary compensation for reporting security vulnerabilities.

Please inform us in your report whether we should mention your contribution. We will not publish this information by default to protect your privacy.

In case we have confirmed your report, we may compensate you, given prior written approval by ZITADEL, for costs

  • incurred during research for using our paid services
  • on time & material spend on analysis after confirming your report
Last updated on by Elio Bischof