Reporting security vulnerabilities

When reporting a security vulnerability please do not disclose the details publicly. This includes our user mailing lists. Instead contact or create a JIRA issue and mark it as security sensitive. The Keycloak team will acknowledge your e-mail, and you will receive a response indicating the next steps in handling your report.

To report a security vulnerability:

  • Go to JIRA and create a new issue
  • Before saving the issue make sure the This issue is security relevant checkbox is checked. This makes the details in the issue only visible to the core Keycloak team and yourself.
  • Please provide as much information about the issue as possible when contacting the list. This will contribute to a better response time.
  • If you have a patch or patches to submit, please include them in the email using git format-patch. But do not file a pull request on GitHub, unless you coordinated it with the team.