A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:info@balazsorban.com
Contact: mailto:hi@thvu.dev
Contact: mailto:authjs-security@ndo.dev
Acknowledgments: https://authjs.dev/security
Preferred-Languages: en
Canonical: https://authjs.dev/.well-known/security.txt

# Security Policy

NextAuth.js practices responsible disclosure.

## Reporting a Vulnerability

We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.

If you contact us regarding a serious issue:

- We will endeavor to get back to you within 72 hours.
- We will aim to publish a fix within 30 days.
- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.

The best way to report an issue is by contacting us via email at hi@thvu.dev, info@balazsorban.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)

> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these publicly as bug reports or feature requests or to raise a question to open a discussion around them.

## Supported Versions

Security updates are only released for the current version.

Old releases are not maintained and do not receive updates.