> ## Documentation Index
> Fetch the complete documentation index at: https://authsome.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Responsible disclosure

> How to report a security issue in Authsome.

If you find a security issue in Authsome, please tell us privately so we can fix it before it is made public.

## How to report

Open a [private security advisory on GitHub](https://github.com/agentrhq/authsome/security/advisories/new) and include:

* A clear description of the issue and its impact.
* Steps to reproduce. A minimal proof of concept is ideal.
* The affected version (`authsome --version`).
* Your name and a way to credit you in the fix announcement, if you want credit.

Private advisories are visible only to repository maintainers until coordinated disclosure.

## What to expect

| Step                           | Timeline                                                              |
| ------------------------------ | --------------------------------------------------------------------- |
| Acknowledgement                | Within 72 hours                                                       |
| Triage and severity assessment | Within 5 business days                                                |
| Fix scoping and target release | Communicated after triage                                             |
| Coordinated disclosure         | After a fix is released, unless the issue is being actively exploited |

We will keep you in the loop through the fix and credit you in the release notes unless you prefer to remain anonymous.

## Scope

In scope:

* The Authsome CLI, Python library, and local daemon.
* Bundled provider definitions.
* The mitmproxy-based local HTTP proxy.
* The daemon dashboard UI.

Out of scope:

* Bugs in third-party providers' OAuth implementations. Report those to the provider.
* Bugs in upstream dependencies. We will track the relevant CVE and bump our pinned version.
* Issues that require local root or physical access to the machine. Authsome's threat model assumes the local machine and user account are trusted.

## Public release notes

Fixed issues are documented in [CHANGELOG.md](https://github.com/agentrhq/authsome/blob/main/CHANGELOG.md) and the GitHub release announcement, with a CVE identifier when one is assigned.
