Only the latest release is supported with security fixes.

Please do not open a public issue for security vulnerabilities.

Report vulnerabilities privately using GitHub Security Advisories. You will receive an acknowledgement within 7 days.

In scope:

• Vulnerabilities in this plugin's code that could compromise the confidentiality, integrity, or availability of Vault or Keycloak credentials
• Dependency vulnerabilities with a direct exploit path

Out of scope:

• Vulnerabilities in HashiCorp Vault itself — report those to HashiCorp
• Vulnerabilities in Keycloak itself — report those to the Keycloak project
• Issues requiring physical access or social engineering

Once a fix is released, vulnerabilities will be publicly disclosed via a GitHub Security Advisory. Credit will be given to the reporter unless anonymity is requested.

This policy was shaped by the following sources:

• GitHub Docs — Adding a security policy to your repository
• GitHub Docs — Using private vulnerability reporting
• goreleaser/goreleaser — SECURITY.md (pattern reference)
• HashiCorp security disclosure policy