Since this project handles very sensitive data, we, the maintainers of libwebauthn, take security seriously. This policy outlines our intentions for addressing security issues and practices for security researchers investigating this project.
If you have discovered a security vulnerability in this project, please report it to us privately via the process below.
We use GitHub for private vulnerability disclosure. To report a vulnerability:
- Go to Security > Advisories > New draft security advisory.
- Fill out the report and submit the draft.
- The maintainers will be privately notified about the advisory and get back to you.
We aim to acknowledge the receipt of the report as soon as possible and will work with you. We seek to investigate issues within 30 days.
If the issue is confirmed upon investigation, we will collaborate with you to remediate the vulnerability. Depending on the severity or developer availability, we may request more time to remediate the issue before public disclosure.
We only support the latest published release. We may backport patches when possible to help users running on distributions that package older versions of our software.