[keycloak-user] Management of compromising bug tickets
Stian Thorgersen
sthorger at redhat.com
Thu May 26 02:16:23 EDT 2016
Security sensitive issues are marked as security sensitive, which means
that only the reporter and core team members can view the issue. However,
as it's all open source someone can monitor commits and figure out exploits
that way.
Once we have a supported version of Keycloak ready we'll have a channel to
distribute patches to customers prior to disclosing any details and code to
the community.
On 26 May 2016 at 01:23, Brian Watson <watson409 at gmail.com> wrote:
> Hey all,
>
> I love the fact that your backlog is very transparent, and that I can see
> a list of all tasks completed for a given release.
>
> However, I was wondering how you handle tasks for compromising bugs? For
> instance, one could look in the backlog for a bug that states "If you send
> '123' to the master realm token endpoint at precisely 6:59am on a Tuesday,
> and you will be granted an admin token! Please Fix!", and use that
> information to gain access to the systems of those using Keycloak.
>
> Thank you in advance.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160526/152b183b/attachment.html
More information about the keycloak-user
mailing list