Lewati ke isi

CVE Response Playbook

Expect 5+ CVEs/year on Zitadel. Most are medium; a few are high/critical. Missing one is how auth servers get breached.

Subscribe (do this once)

  1. GitHub advisories (canonical):
  2. Go to https://github.com/zitadel/zitadel → Watch → Custom → check Security alerts.
  3. Subscribe the zitadel-ops@huph.val.id shared inbox (not a person) so departures don't break it.
  4. Release feed: RSS https://github.com/zitadel/zitadel/releases.atom → pipe into Slack #zitadel-ops via an RSS app.
  5. Zitadel technical advisories: bookmark https://zitadel.com/docs/support/technical_advisory and add to monthly review.
  6. NVD/OSV fallback: https://osv.dev/list?ecosystem=Go&q=zitadel for dependency CVEs not yet on GitHub.

Triage SLA

On advisory receipt, within 1 business hour classify:

Severity (CVSS + context) SLA
Critical, remote auth bypass / RCE, unauthenticated, we are exposed 24 hours
High, auth/session impact, authenticated exploit, we use the feature 72 hours
High but we do not use the affected code path (e.g. SAML feature off) 1 week
Medium, defense-in-depth, no known exploit Next cycle (monthly)
Low / informational Quarterly review

"Context" matters: a SAML bug is a non-issue if we only run OIDC. Always read the advisory, don't just glance at CVSS.

Patch flow

Text Only
1. Open a tracking issue: gh issue create \
     --title "CVE-YYYY-NNNNN Zitadel <sev> – <1-line summary>" \
     --body "Advisory: <URL>. Affected: vX.Y–vA.B. Fixed: vA.C. HUPH exposed: yes/no because ..."
2. Pull fixed version into staging. Run scripts/zitadel-backup.sh + upgrade per 02-upgrade.md.
3. Let staging soak 24h (critical: 1h, document why).
4. Upgrade prod in a scheduled window. Post in #zitadel-ops.
5. Close issue with: date patched, version-from, version-to, smoke results.

Decision log

Append to docs/ops/zitadel/cve-log.md (one line per event):

Text Only
2026-05-03 | CVE-2026-12345 | HIGH | v4.1.2 → v4.1.3 | patched 2026-05-04 14:20 WIB | on-call: fariz
2026-06-11 | GHSA-xxxx-yyyy | MED  | v4.2.0           | deferred to monthly: SAML path unused, re-review 2026-07-11

Auditor-ready: who, what, when, why. Never rely on memory.

Don't-panic checks before patching

  • Is the advisory actually about self-hosted, or only Zitadel Cloud?
  • Is the fix in a version that also includes a breaking change? Read release notes.
  • Do we have a recent DB backup? (Run scripts/zitadel-backup.sh first.)