We take security very seriously. We welcome any review of the latest release of all our open source code to ensure that these components can not be compromised. In case you identified a security related issue with severity of low to medium, please create a GitHub issue.

In case you identified a security related issue with severity of high or critical, please disclose information about the issue non public via email to timo.pagel@owasp.org.

We encourage researchers to include a Proof-of-Concept, supported by screenshots or videos. For each given security related issue with severity high or critical (based on own assessment), we will respond within one week.

Please be aware that only the most recent version will be subject of security patches.

There is no format in commits to identify security related fixes and it is not planned yet.

The patch management process of the application is weak. It is recommended to not use the application with production data in public. Please use at least authentication/authorization in front of the application (e.g. https://github.com/oauth2-proxy/oauth2-proxy).