root: update security policy to include link to cure53 report (#7853)

* add links to the cure53 audit results

* fix link

* link

* fighting with Docu

* removed link for now

* use absolute link

---------

Co-authored-by: Tana Berry <tana@goauthentik.io>
This commit is contained in:
Tana M Berry 2023-12-11 15:26:36 -06:00 committed by GitHub
parent 1fccbaa693
commit f2aa83a731
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 2 deletions

View File

@ -1,5 +1,9 @@
authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version. authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
## Independent audits and pentests
In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
## What authentik classifies as a CVE ## What authentik classifies as a CVE
CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is: CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:

View File

@ -1,8 +1,8 @@
# 2023-06 Cure53 Code audit # 2023-06 Cure53 Code audit
In May/June of 2023, we've had a Pen-test conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues. In May/June of 2023, we've had a Pentest conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues.
From the complete report, these are the points we're addressing with this update: From the [complete report](https://cure53.de/pentest-report_authentik.pdf), these are the points we're addressing with this update:
### ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium) ### ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)