Skip to content

Security: ellaisys/aws-cognito

SECURITY.md

Security Guidelines

The security of our project and its users is of utmost importance to us. We are committed to maintaining a secure environment and addressing any security vulnerabilities promptly. This document outlines guidelines for reporting security issues and our approach to handling them. Please read this information carefully and follow the instructions provided.

Reporting Security Issues

If you discover a security vulnerability or have concerns regarding the security of our project, please report it to our security team immediately. We appreciate your responsible disclosure and will work with you to address the issue.

To report a security issue, please follow these steps:

  • Create a github issue, for our security team, with a detailed description of the vulnerability or concern. Please include as much information as possible to help us understand and reproduce the issue.
  • Avoid sharing sensitive information or details about the vulnerability in public spaces, such as GitHub issues or public forums, until we have had an opportunity to review and address the issue.
  • Our security team will acknowledge your report within a reasonable timeframe and work with you to investigate the issue further.
  • Once we have assessed and resolved the vulnerability, we will provide you with updates and credit for your responsible disclosure if desired.

We kindly request that you refrain from sharing or exploiting potential vulnerabilities without prior coordination with our security team.

Scope of Security Issues

We appreciate your vigilance in identifying security vulnerabilities. However, it's important to understand the scope of issues we are most concerned about:

Remote code execution

  • Authentication or authorization bypass
  • Privilege escalation
  • SQL injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server or application misconfigurations that could lead to security breaches

Please note that we may not consider some issues, such as self-XSS or other user-inflicted vulnerabilities, within the scope of our security policy. Nevertheless, we still appreciate hearing about them and encourage responsible disclosure.

Reward and Recognition

We value the contributions of the security community and understand the time and effort put into finding and reporting vulnerabilities. As a token of our appreciation, we offer a reward program for eligible reports. The program's specifics, including eligibility criteria and rewards, will be communicated to you when you report the security issue.

If you are not interested in receiving a reward but would like to be recognized for your contribution, please let us know, and we will gladly acknowledge your efforts.

Responsible Disclosure

We kindly request that you:

  • Act in good faith and provide us with reasonable time to investigate and address reported vulnerabilities before disclosing them to the public.
  • Refrain from accessing, modifying, or deleting any data that does not belong to you.
  • Avoid causing any disruption or degradation of our services during your research.
  • By following these guidelines, you help us protect our users and maintain a secure environment for everyone.

Our Commitment

We are dedicated to addressing security vulnerabilities in a timely manner and providing regular updates on our progress. We appreciate your collaboration in making our project more secure. Together, we can maintain a safer environment for all users.

If you have any further questions or require additional information, please feel free to contact the community maintainers or owners.

Thank you for your support in keeping our project secure. We truly value your efforts and commitment to the safety of our community.

There aren’t any published security advisories