We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take the security of Orthrus seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please send an email to thavarshan@gmail.com with the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Status Updates: We will keep you informed of our progress throughout the investigation
- Resolution: We aim to resolve security issues within 30 days when possible
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare a fix for all supported releases
- Release new versions with the fix
- Publicly announce the security fix
We request that you give us reasonable time to address the issue before making any information public.
This application implements OAuth 2.0 and JWT-based authentication with the following security measures:
- Algorithm: RS256 (RSA with SHA-256)
- Key Length: 4096-bit RSA keys
- TTL: 15 minutes (configurable)
- Storage: Stateless, signed tokens
- Revocation: JTI-based blacklisting for compromised tokens
- Format: UUID.cryptographic_secret
- Storage: Argon2id hashed secrets in database
- Rotation: Automatic rotation on each use
- Reuse Detection: Family invalidation on suspicious activity
- TTL: Configurable (default: 30 days)
- Isolation: Complete organization-level data separation
- Validation: Required X-Org-Id header on protected endpoints
- Scope Control: OAuth 2.0 scope-based authorization
The application implements rate limiting on authentication endpoints:
- Login endpoint: IP-based throttling
- Token endpoint: IP-based throttling
- Framework: Symfony Rate Limiter component
- Generation: OpenSSL 4096-bit keys
- Storage: Local filesystem in
var/keys/(gitignored) - Rotation: Manual process with JWKS update
- Discovery: Public keys available at
/.well-known/jwks.json
- Keys are excluded from version control
- Private keys have restricted file permissions
- JWKS endpoint includes proper cache headers
- Production: PostgreSQL with TLS encryption
- Development: Docker containerized PostgreSQL
- Testing: SQLite in-memory for isolation
- Password Hashing: PHP password_hash() with default algorithm
- Refresh Token Secrets: Argon2id hashing
- Sensitive Data: No plaintext storage of secrets
- Request Validation: Symfony Validator component
- Type Safety: PHP 8.2+ strict typing
- Sanitization: Doctrine ORM parameter binding
- Output Encoding: JSON response encoding
- Environment Variables: Sensitive configuration via .env files
- Secrets Management: No hardcoded secrets in source code
- Docker: Containerized services with network isolation
- Debug Mode: Disabled in production
- Error Reporting: Sanitized error responses
- Logging: Configurable log levels
- CORS: Configurable cross-origin resource sharing
- HTTPS: TLS encryption for all communications (recommended)
- Content Security Policy: Configurable HTTP security headers
- SQL Injection Prevention: Doctrine ORM parameter binding
- XSS Prevention: JSON API responses, no HTML rendering
We recommend implementing the following monitoring practices:
- Failed login attempt tracking
- Unusual access pattern detection
- Geographic access anomalies
- Multiple refresh token usage
- Database connection monitoring
- Rate limit breach alerts
- Error rate monitoring
- Resource usage tracking
- HTTPS/TLS enabled for all endpoints
- Database connections encrypted
- Network firewalls configured
- Access logging enabled
- Debug mode disabled
- Error reporting configured for production
- Rate limiting enabled
- CORS policies configured
- RSA keys generated with proper entropy
- Environment variables secured
- File permissions restricted on key files
- Database credentials rotated
- Security event logging enabled
- Failed authentication tracking
- Anomaly detection configured
- Incident response procedures documented
Security updates will be clearly marked in release notes and will include:
- CVE number (if applicable)
- Severity level (Critical, High, Medium, Low)
- Affected versions
- Mitigation steps
- Upgrade instructions
Subscribe to releases on GitHub to receive notifications of security updates.
- OWASP Top 10
- PHP Security Guide
- Symfony Security
- JWT Security Best Practices
- OAuth 2.0 Security Best Current Practice
We appreciate your efforts to responsibly disclose security vulnerabilities and help us maintain the security of this project and our users.