We greatly appreciate when security researchers and users bring vulnerabilities to our attention, as it allows us to improve Authgear's security and better serve our open source community.

Our team will quickly look into the issue you reported. We welcome working collaboratively with you to validate and address any vulnerabilities. Once the vulnerability has been confirmed, we will keep you updated on our progress fixing it.

For the safety of Authgear's users, we kindly request coordinating public disclosure of the vulnerability until a fix can be implemented. By working together closely, we can ensure users are protected while also acknowledging your valuable contribution.

We will not terminate your services or pursue legal actions for anyone following the security policy.

The scope of this policy applies to all websites and services operated by Authgear and the software in our open source repositories.

The supported version is the latest version from our stable release.

You must not do research or testing that involves

• Modify or destroy any data that does not belong to you
• Accessing or attempting to access data that does not belong to you
• Denial of service attacks
• Load testing

To report a vulnerability, please submit it to our Advisories Portal or email to [email protected]

Please include the following details:

• Target: Authgear Cloud, Authgear Open Sources, Other
• Type: DoS, authentication bypass, broken authorization, etc
• Description
• URL/Location (Optional)

If you haven't received a response within 48 hours, please contact [email protected].

• Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
• Suggestions on Certificate Authority Authorization (CAA) rules, DMARC/DKIM/SPF, DNSSEC settings
• Lack of security flags on non-sensitive cookies

We currently do not provide monetary compensation for reporting security vulnerabilities. Please indicate in your report if you would like your contribution acknowledged—we default to keeping contributors anonymous.