Security sensitive issues are marked as security sensitive, which means
that only the reporter and core team members can view the issue. However,
as it's all open source someone can monitor commits and figure out exploits
Once we have a supported version of Keycloak ready we'll have a channel to
distribute patches to customers prior to disclosing any details and code to
On 26 May 2016 at 01:23, Brian Watson <watson409(a)gmail.com> wrote:
I love the fact that your backlog is very transparent, and that I can see
a list of all tasks completed for a given release.
However, I was wondering how you handle tasks for compromising bugs? For
instance, one could look in the backlog for a bug that states "If you send
'123' to the master realm token endpoint at precisely 6:59am on a Tuesday,
and you will be granted an admin token! Please Fix!", and use that
information to gain access to the systems of those using Keycloak.
Thank you in advance.
keycloak-user mailing list