|
1 | 1 | # Security Policy |
2 | 2 |
|
| 3 | +This security policy covers the npm package [`@node-oauth/oauth2-server`](https://www.npmjs.com/package/@node-oauth/oauth2-server), maintained in the [`node-oauth/node-oauth2-server`](https://github.com/node-oauth/node-oauth2-server) repository. |
| 4 | + |
| 5 | +Because this project is a security-sensitive OAuth 2.0 authorization server library (RFC 6749 / RFC 6750), we take vulnerability reports seriously and handle them under a coordinated-disclosure process. We are grateful to the security researchers who help keep this project and its users safe. |
| 6 | + |
3 | 7 | ## Supported Versions |
4 | 8 |
|
5 | | -Use this section to tell people about which versions of your project are |
6 | | -currently being supported with security updates. |
| 9 | +Security fixes are developed against the latest `5.x` release. To stay protected, keep your dependency up to date with the most recent published version. |
7 | 10 |
|
8 | 11 | | Version | Supported | |
9 | 12 | |---------|--------------------------------------------------| |
10 | 13 | | 5.x.x | :white_check_mark: | |
11 | | -| 4.x.x | :white_check_mark: but only high severity issues | |
| 14 | +| 4.x.x | :white_check_mark: but only high-severity issues | |
12 | 15 | | 3.x.x | :x: | |
13 | 16 | | < 3 | :x: | |
14 | 17 |
|
| 18 | +The `5.x` line is actively maintained and receives all security fixes. The `4.x` line is a legacy line that receives backports for high-severity issues only. Versions `3.x` and older are unsupported and will not receive security updates. |
| 19 | + |
15 | 20 | ## Reporting a Vulnerability |
16 | 21 |
|
17 | | -Report security vulnerabilities to info@jankuester.com |
| 22 | +**Please report vulnerabilities privately using GitHub's private vulnerability reporting — do not open a public issue, pull request, or discussion for a security bug.** Public disclosure before a fix is available puts every user of the library at risk. |
| 23 | + |
| 24 | +To report a vulnerability: |
| 25 | + |
| 26 | +1. Open the **[Report a vulnerability](https://github.com/node-oauth/node-oauth2-server/security/advisories/new)** form directly, or go to the repository's **[Security tab](https://github.com/node-oauth/node-oauth2-server/security)** and click **"Report a vulnerability"**. |
| 27 | +2. Fill in the title and description (only those two fields are required) and submit the report. |
| 28 | + |
| 29 | +You will need to be signed in to GitHub. Submitting through this channel keeps the report private, notifies the maintainers directly, and automatically adds you as a collaborator on the draft advisory so we can discuss the issue with you and credit you when it is published. |
| 30 | + |
| 31 | +Reports are handled by the maintainers, [Jan Küster (@jankapunkt)](https://github.com/jankapunkt) and [Dan Hensby (@dhensby)](https://github.com/dhensby). |
| 32 | + |
| 33 | +## What to Include in a Report |
| 34 | + |
| 35 | +To help us triage, reproduce, and fix the issue quickly, please include as much of the following as you can: |
| 36 | + |
| 37 | +- A clear description of the vulnerability and its **security impact** — what an attacker can achieve by exploiting it. |
| 38 | +- The **affected version(s)**, and if known the relevant commit or branch. |
| 39 | +- **Steps to reproduce**, ideally with a minimal **proof of concept**. |
| 40 | +- Any **configuration or environment** needed to trigger the issue (for example the grant types, model behaviour, or framework adapter in use). |
| 41 | +- Optionally: a suggested fix or mitigation, your severity assessment, and whether you would like public credit in the advisory. |
| 42 | + |
| 43 | +We need to be able to **reproduce** the vulnerability — just as we do with ordinary bug reports — before we can safely fix it, so clear reproduction steps and impact details are the most valuable thing you can provide. |
18 | 44 |
|
19 | | -Please specify exactly how the vulnerability is to be exploited so we can estimate how severe the consequences can be (unless you also can specify them, too). |
| 45 | +## What Happens Next |
20 | 46 |
|
21 | | -Please note that we need to reproduce the vulnerability (as like with bugs) in order to safely fix it. |
| 47 | +1. **Acknowledgement & triage.** We confirm receipt of your report and begin assessing it privately through the GitHub security advisory. |
| 48 | +2. **Reproduction.** We reproduce the issue to understand its impact and estimate severity. We may follow up with you for clarification or additional detail. |
| 49 | +3. **Private fix.** A fix is developed in private — within the draft advisory or a temporary private fork — until we can confirm the vulnerability is closed. If you would like to help, let us know and we can collaborate on the fix in a private fork; only a maintainer can merge it. |
| 50 | +4. **Validation.** All security fixes must pass the **full test suite and dependency audits** before they ship — a security fix is never released at the expense of correctness. |
| 51 | +5. **Release.** Once a fix is ready, we publish a new release promptly and update the supported release lines as appropriate. |
| 52 | +6. **Disclosure & credit.** We publish a GitHub Security Advisory (GHSA), request a CVE where warranted, and credit you for the report unless you ask otherwise. The project actively uses GitHub Security Advisories — for example, [GHSA-jhm7-29pj-4xvf](https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf) (CVE-2026-41213, a PKCE brute-force issue) was fixed in `5.3.0`. |
22 | 53 |
|
23 | | -A fix will be implemented in private until we can ensure the vulnerability is closed. A new release will immediately be published. |
24 | | -If you want to provide a fix please let us know in the e-mail so we can setup a completely private repository to work on it together. |
| 54 | +## Disclosure Expectations |
25 | 55 |
|
26 | | -Finally, all security fixes will also require to pass all tests and audits. |
| 56 | +We follow **coordinated disclosure**. Please give us a reasonable opportunity to investigate and release a fix before disclosing the vulnerability publicly, and please do not share details — including via public issues, pull requests, or discussions — until a patched release is available and the advisory is published. We will keep you informed of our progress throughout, and we aim to resolve and disclose issues promptly. |
0 commit comments