Security sensitive issues are marked as security sensitive, which means that only the reporter and core team members can view the issue. However, as it's all open source someone can monitor commits and figure out exploits that way.

Once we have a supported version of Keycloak ready we'll have a channel to distribute patches to customers prior to disclosing any details and code to the community.

On 26 May 2016 at 01:23, Brian Watson <> wrote:
Hey all,

I love the fact that your backlog is very transparent, and that I can see a list of all tasks completed for a given release.

However, I was wondering how you handle tasks for compromising bugs? For instance, one could look in the backlog for a bug that states "If you send '123' to the master realm token endpoint at precisely 6:59am on a Tuesday, and you will be granted an admin token! Please Fix!", and use that information to gain access to the systems of those using Keycloak.

Thank you in advance.

keycloak-user mailing list