Reporting security vulnerabilities
When reporting a security vulnerability please do not disclose the details publicly. This includes our
user mailing lists. Instead contact firstname.lastname@example.org or create a JIRA issue and mark it as security sensitive. The Keycloak team will acknowledge your e-mail, and you will receive a response indicating the next steps in handling your report.
To report a security vulnerability:
Go to JIRA and create a new issue
Before saving the issue make sure the This issue is security relevant checkbox is checked. This
makes the details in the issue only visible to the core Keycloak team and yourself.
Please provide as much information about the issue as possible when contacting the list. This will contribute to a better response time.
If you have a patch or patches to submit, please include them in the email using git format-patch. But do not file a pull request on GitHub, unless you coordinated it with the team.