OpenIGA handles identities, credentials, and access — security reports are the highest-priority issues we receive.

Please do not file public GitHub issues for security vulnerabilities.

Instead, email the maintainers privately:

• sharedealnow@gmail.com — primary security contact

Include:

• A clear description of the vulnerability
• Reproduction steps (proof-of-concept if you have one)
• The affected version / commit
• Your assessment of impact (data exposure, privilege escalation, DoS, etc.)
• Whether you'd like credit in the security advisory

We aim to:

• Acknowledge within 72 hours
• Triage within 5 business days
• Patch critical vulnerabilities within 14 days of triage
• Publish a security advisory once a fix is available

In scope:

• The OpenIGA core (apps/*, libs/*, services/*)
• Official connectors under connectors/*
• Default configuration shipped with the project
• Cryptographic constructions (KMS, sessions, password storage)
• Authentication & authorization (login, MFA, ACL evaluator)

Out of scope:

• Vulnerabilities in third-party dependencies (please report upstream)
• Self-inflicted misconfiguration (e.g. KMS_ENV_KEY=hello)
• Denial-of-service via abusive but valid use of the API (rate limiting belongs in your edge layer)

We follow a 90-day coordinated disclosure window by default. If you need a longer or shorter window for any reason, tell us in your initial report.

We maintain a list of reporters who have responsibly disclosed vulnerabilities — see docs/SECURITY-HALL-OF-FAME.md. Inclusion is opt-in.

OpenIGA commits to:

• Never roll its own cryptographic primitives
• Use AES-256-GCM for symmetric encryption at rest
• Use bcrypt cost 12 for password storage
• Use SHA-256 session token hashes
• Use CSPRNG (crypto.randomBytes) for every secret value
• Rotate signing / encryption keys without downtime (Phase 7's crypto:rotate)

If you spot a deviation from any of the above, please report it as a security issue.