We do our best to make INDIGO IAM a secure product, free of known vulnerabilities.

If you believe you have found a software vulnerability in INDIGO IAM, please report it to us as described below.

We adopt the following definition of vulnerability:

An instance of one or more weaknesses in a Product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy.

You have two ways to report a security vulnerability:

1. Preferably report a security vulnerability in this repository, under the section Security. A template will guide you through the submission; the information you provide will help us to properly assess the issue. Please do NOT submit a public GitHub issue.

2. Virtual organizations and sites participating in the European Grid Infrastructure (EGI) or the Worldwide LHC Computing Grid (WLCG) may report the vulnerability to the Software Vulnerability Group (SVG) by e-mail to: report-vulnerability [at] egi.eu. Again, try to be as detailed as possible in your submission and please do NOT disclose your findings on any public channel.

In both cases, after the submission, the software vulnerability will be managed according to The EGI Software Vulnerability Group Issue handling procedure, following a principle of responsible vulnerability disclosure.

Bug fixes and new features are normally applied only to the latest release of INDIGO IAM. For bugs and security vulnerabilities with significant impact we may consider releasing patches to previous releases, based also on the assessment done by the EGI SVG.