| Version | Supported |
|---|---|
| 1.x.y (upcoming stable) | Will receive security fixes once released. |
| 0.x.y (current prerelease) | No security fixes. Pin a version and upgrade when 1.x ships. |
The 0.x.y line is a prerelease series. It will not receive backported security fixes; users are expected to upgrade to the upcoming stable 1.x.y line once available.
Please do not open a public GitHub issue for security vulnerabilities.
GitHub Private Vulnerability Reporting will be enabled via the repository Security tab; check there for the current status. In the meantime, report vulnerabilities by email to dah.kenangnon@gmail.com. Include:
- A description of the vulnerability
- Steps to reproduce
- Affected package(s) and version(s)
- Any suggested fix or patch (optional)
You will receive an acknowledgement within 72 hours. Fixes target the upcoming stable line; expect a release within 14 days of confirmation once 1.x.y is generally available.
Security reports are accepted for all @oidfed/* packages:
@oidfed/core— trust chain resolution and validation@oidfed/authority— federation endpoint handlers@oidfed/leaf— entity configuration serving@oidfed/oidc— registration protocol handling@oidfed/cli— command-line interface
The following applications are included in scope for security reports. All are read-only, client-side only tools; reports are welcome but will be treated as lower severity:
- Home (
oidfed/home): The project home page. - Explorer (
oidfed/explorer): The@oidfed/explorerbrowser app. - Learn (
oidfed/learn): The practical guide to learning OpenID Federation.
- Vulnerabilities in upstream dependencies (report to:
jose,zod,commander, etc.) - Issues requiring physical access to a host
- Social engineering attacks