Skip to main content
If you find a security issue in Authsome, please tell us privately so we can fix it before it is made public.

How to report

Open a private security advisory on GitHub and include:
  • A clear description of the issue and its impact.
  • Steps to reproduce. A minimal proof of concept is ideal.
  • The affected version (authsome --version).
  • Your name and a way to credit you in the fix announcement, if you want credit.
Private advisories are visible only to repository maintainers until coordinated disclosure.

What to expect

StepTimeline
AcknowledgementWithin 72 hours
Triage and severity assessmentWithin 5 business days
Fix scoping and target releaseCommunicated after triage
Coordinated disclosureAfter a fix is released, unless the issue is being actively exploited
We will keep you in the loop through the fix and credit you in the release notes unless you prefer to remain anonymous.

Scope

In scope:
  • The Authsome CLI, Python library, and local daemon.
  • Bundled provider definitions.
  • The mitmproxy-based local HTTP proxy.
  • The daemon dashboard UI.
Out of scope:
  • Bugs in third-party providers’ OAuth implementations. Report those to the provider.
  • Bugs in upstream dependencies. We will track the relevant CVE and bump our pinned version.
  • Issues that require local root or physical access to the machine. Authsome’s threat model assumes the local machine and user account are trusted.

Public release notes

Fixed issues are documented in CHANGELOG.md and the GitHub release announcement, with a CVE identifier when one is assigned.