Thanks for helping keep MaxKey and the wider dromara ecosystem secure.
Please do not open a public issue, discussion, or pull request that describes a suspected vulnerability — that gives attackers a head-start before a fix lands.
Use one of these private channels instead:
GitHub's Private Vulnerability Reporting (preferred). Open a private security advisory at https://github.com/dromara/MaxKey/security/advisories/new. GitHub automatically routes it to the maintainers, keeps the discussion private until you and the maintainers agree to publish, and (optionally) assigns a CVE on publish.
Email. If GitHub PVR is unavailable to you for any reason, email the project lead directly. Maintainers should add the preferred email here when they configure the policy.
A good report contains:
file:line) where useful.MaxKey is an enterprise-grade Identity and Access Management (IAM) and Single Sign-On (SSO) platform supporting SAML, OAuth2, OIDC, CAS, JWT, and more. The maintainers support security fixes on the latest minor release. Older releases will not generally receive backports.
In-scope vulnerability classes include:
Out-of-scope:
After you submit:
Reporters who have helped harden MaxKey via responsible disclosure will be listed here once the corresponding advisory is published.
This policy is suggested via GitHub's "Suggest a security policy" workflow. Maintainers can edit any section freely; the most important thing is that a private reporting channel exists so researchers can submit findings responsibly.