-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathsecurity-charter.html
More file actions
199 lines (178 loc) · 11.5 KB
/
security-charter.html
File metadata and controls
199 lines (178 loc) · 11.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
<!doctype html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-0J2P9316N6"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-0J2P9316N6');
</script>
<meta charset="utf-8"/>
<title>Security Charter - Keycloak</title>
<meta name="twitter:card" content="summary_large">
<meta name="twitter:site" content="@keycloak">
<meta property="og:site_name" content="Keycloak">
<meta property="og:title" content="Security Charter">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" property="og:description" content="Learn how the Keycloak Security Taskforce handles security reports and proactively acts to keep Keycloak secure.">
<meta name="author" content="Keycloak Team">
<meta name="keywords" content="sso,idm,openid connect,saml,kerberos,ldap">
<link href="https://www.keycloak.org/resources/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
<link href="https://www.keycloak.org/resources/@fortawesome/fontawesome-free/css/all.min.css" rel="stylesheet">
<link href="https://www.keycloak.org/resources/css/keycloak.css" rel="stylesheet">
<link rel="canonical" href="https://www.keycloak.org/security-charter">
<meta property="og:url" content="https://www.keycloak.org/security-charter">
<link rel="icon" type="image/x-icon" href="https://www.keycloak.org/resources/favicon.ico">
<link rel="icon" type="image/vnd.microsoft.icon" href="https://www.keycloak.org/resources/favicon.ico">
<link rel="icon" type="image/svg+xml" href="https://www.keycloak.org/resources/favicon.svg"></head>
<body>
<header class="navbar navbar-expand-md bg-light shadow-sm">
<nav class="container-xxl flex-wrap flex-md-no-wrap navbar-light" data-nosnippet>
<a class="navbar-brand me-3 me-md-4 me-lg-5" href="https://www.keycloak.org/">
<img style="aspect-ratio: 730/151" class="img-fluid" src="https://www.keycloak.org/resources/images/logo.svg" width="240" alt="Keycloak"/>
</a>
<a class="nav-link d-none d-sm-block d-md-none d-lg-block" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="fa fa-bars fa-lg px-1 py-2"></span>
</button>
<div class="collapse navbar-collapse" id="navbarCollapse">
<ul class="navbar-nav flex-row flex-wrap bd-navbar-nav pt-2 py-md-0">
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/guides">Guides</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/documentation">Docs</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/downloads">Downloads</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/community">Community</a>
</li>
<li class="nav-item col-6 col-md-auto">
<a class="nav-link " href="https://www.keycloak.org/blog">Blog</a>
</li>
</ul>
</div>
<div class="d-block d-sm-none d-md-block d-lg-none text-center vw-100">
<a class="nav-link d-inline p-0" href="https://github.com/keycloak/keycloak"><img src="https://www.keycloak.org/resources/images/stars-large.svg" style="height: 25px; aspect-ratio: 124/20" alt="GitHub stars"/></a>
</div>
</nav>
</header>
<div class="container mt-5 kc-article">
<h1>Security Charter</h1>
<h2>Mission</h2>
<p>The Keycloak Security Taskforce is committed to enhancing the security of the Keycloak project through continuous improvement of documentation, code, and processes. Our core responsibilities include:</p>
<ul>
<li>Proactive triage: rapidly addressing security vulnerabilities reported to Keycloak and ensuring they are resolved promptly and consistently.</li>
<li>Impact evaluation: assessing the security implications of new and existing features.</li>
<li>Process enhancement: regularly reviewing and refining security processes to ensure ongoing improvement within the codebase.</li>
</ul>
<h2>Teams</h2>
<h3>Keycloak Security Response Team</h3>
<p>A dedicated subset of maintainers actively involved in triaging new issues and coordinating with Resolution Teams. The Response Team has full access to all CVEs reported to the project and can add or remove members from Resolution Teams as necessary.</p>
<h4>Member Nomination Process</h4>
<ul>
<li>New members can be nominated by existing maintainers and members of the Keycloak Security Response Team. Members of both teams have a vote in the approval process, and a 2/3 majority is required for approval.</li>
<li>All nominations must be sent to the Keycloak Security mailing list.</li>
<li>Members may step down at any time and may nominate a replacement when they do.</li>
</ul>
<h4>Responsibilities</h4>
<ul>
<li>Remain active and responsive, participating in day-to-day activities.</li>
<li>Communicate any leave of absence.</li>
<li>Participate on rotating shifts on a weekly basis.</li>
<li>Members that have been inactive or not fulfilling their responsibilities for more than three months without advance notice will be removed by vote.</li>
</ul>
<h4>Scope</h4>
<ul>
<li>Vulnerability triage: managing reports received via the Keycloak security mailing list.</li>
<li>Coordination: overseeing the response to reported vulnerabilities to ensure compliance with SLA deadlines.</li>
<li>Process improvement: maintaining and enhancing security measures, such as implementing linters, scanners, fuzzers, and patch managers. Ensuring security is proactively integrated throughout the project.</li>
</ul>
<h4>Rotating Shifts</h4>
<ul>
<li>Team members take turns being the primary point of contact on a weekly basis.</li>
<li>The designated person on the shift handles incoming security requests, coordinates responses to incidents, and manages day-to-day security tasks during their shift.</li>
<li>Other team members will continue to work on security response duties, supporting the person on the shift.</li>
<li>The Keycloak Security Office weekly meeting hours determine the end of the shift, and the next person on the shift is updated about the status.</li>
<li>Vacations and PTOs are communicated during the meeting so we can adjust the shift.</li>
</ul>
<h3>Keycloak Security Resolution Team</h3>
<p>A permanent team of subject matter experts (SMEs) responsible for triaging security reports and fixing vulnerabilities in the codebase. The Resolution Team works closely with the Response Team to ensure that reported issues are assessed, prioritized, and resolved effectively.</p>
<h4>Scope</h4>
<ul>
<li>Resolution and testing: ensuring vulnerabilities are effectively fixed and thoroughly tested.</li>
<li>Collaboration: working with the Response team to prioritize fixes above all other items in the team's backlog, regardless of their nature.</li>
<li>Release Coordination: collaborating closely with release coordinators and Quality Engineering (QE) teams to include patches in upcoming releases.</li>
</ul>
<h2>Access</h2>
<table border="1" cellpadding="10" cellspacing="5">
<thead>
<tr>
<th>Resource</th>
<th>Response Team</th>
<th>Fix Coordinators</th>
<th>Resolution Team</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="https://groups.google.com/g/keycloak-security">Mailing list</a></td>
<td>Full access</td>
<td>Full access</td>
<td>Full access</td>
</tr>
<tr>
<td><a href="https://github.com/keycloak/keycloak-private/">Private GitHub repository</a></td>
<td>Full access</td>
<td>Full access</td>
<td>Full access</td>
</tr>
<tr>
<td><a href="https://github.com/keycloak/keycloak/security">Security advisories and alerts</a></td>
<td>Full access</td>
<td>Full access</td>
<td>Full access</td>
</tr>
<tr>
<td>Slack channel (#alerts-keycloak-cve)</td>
<td>Full access</td>
<td>Full access</td>
<td>Full access</td>
</tr>
</tbody>
</table>
<h2>Coordinating a Security Vulnerability Fix</h2>
<ul>
<li>Identification: the Response Team triages the reported vulnerability and assigns it to the Resolution Team for assessment and remediation.</li>
<li>Efficiency: to prevent accidental disclosure, communication about vulnerabilities is kept within the Response and Resolution Teams.</li>
<li>Autonomy: the Resolution Team has the autonomy to involve additional parties such as release coordinators, QE, and documentation teams. Communication with the Response Team is advised when in doubt.</li>
</ul>
<h2>Process Overview</h2>
<ol>
<li>A new vulnerability is reported to the Keycloak security mailing list.</li>
<li>The vulnerability report is triaged.</li>
<li>A CVE ID is assigned.</li>
<li>The Response Team identifies the responsible group (e.g., Team A with members Noah and Emma).</li>
<li>Team A submits the fix to the private repository and includes domain experts for review.</li>
<li>Team A informs QE and releases coordinators about the forthcoming patch.</li>
<li>The pull request is merged, and a new release is issued along with official advisories.</li>
</ol>
<p>Both the Response Team and the Resolution Team maintain ongoing access to security-sensitive channels, enabling fast escalation and getting all SMEs across teams involved as quickly as possible.</p>
<p>This charter outlines the approach the Keycloak project takes to manage and mitigate security vulnerabilities, ensuring the integrity and reliability of the project for all users.</p>
</div>
<div class="container mt-5" data-nosnippet>
<footer class="py-3 my-4 border-top">
<p class="text-center text-muted">Keycloak is a Cloud Native Computing Foundation incubation project</p>
<div class="text-center">
<img style="aspect-ratio: 300/48" alt="Cloud Native Computing Foundation" src="https://www.keycloak.org/resources/images/cncf_logo.png" loading="lazy"/>
</div>
<p class="mt-4 text-center small text-muted">© Keycloak Authors 2026. © 2026 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage">Trademark Usage page</a>.</p>
</footer>
</div>
<script src="https://www.keycloak.org/resources/bootstrap/dist/js/bootstrap.min.js" type="text/javascript"></script>
<script src="https://www.keycloak.org/resources/tocbot/dist/tocbot.min.js" type="text/javascript"></script>
</body>
</html>