Docs

Security Policy and Disclosure Guidelines

Our Security Commitment

At Better Auth, security is our highest priority. We take all security concerns seriously and appreciate the efforts of security researchers and our community in responsibly disclosing potential vulnerabilities.

Reporting a Vulnerability

Preferred Method

Please report security issues by emailing:

What to Include

When reporting a security issue, please include:

  1. Description

    • Clear explanation of the vulnerability
    • Affected versions/components
    • Type of vulnerability (e.g., XSS, CSRF, Authentication Bypass)

  2. Reproduction Steps

    • Detailed steps to reproduce the vulnerability
    • Any required setup or configuration
    • Code samples if applicable
    • Example payload if relevant

  3. Impact Assessment

    • Potential security impact
    • What an attacker might be able to accomplish
    • Affected user groups or data

  4. Supporting Materials

    • Screenshots or videos (if applicable)
    • Proof of concept code (if available)
    • Related references or CVEs

  5. Mitigation Suggestions

    • Proposed fixes or workarounds
    • Recommended security controls

Our Response Process

  1. Initial Response

    • Acknowledgment within 24 to 48 hours
    • Case number assignment
    • Initial severity assessment

  2. Investigation

    • Technical review of the report
    • Impact analysis
    • Verification of reproduction steps
    • Development of fix strategy

  3. Resolution Timeline

    • Critical vulnerabilities: 24-48 hours
    • High severity: 1 week
    • Medium severity: 2 weeks
    • Low severity: Next release cycle

  4. Communication

    • Regular updates on fix progress
    • Notification when fix is ready
    • Coordination on disclosure timeline

Disclosure Policy

  1. Responsible Disclosure

    • No public disclosure before fix implementation
    • Coordinated release of security advisories
    • Credit given to reporters in security advisories

  2. Fix Release Process

    • Security patches released as priority updates
    • Clear documentation of fixes
    • Migration guides if needed

  3. Post-Fix Communication

    • Public security advisories
    • Notification to affected users
    • Updated security documentation

Bug Bounty Program

Currently, we do not operate a formal bug bounty program. However, we do recognize and credit security researchers who:

  • Follow responsible disclosure guidelines
  • Provide clear and actionable reports

Out of Scope

The following are typically out of scope:

  • DOS/DDOS attacks
  • Spam attacks
  • Social engineering
  • Physical security issues
  • Issues requiring physical access
  • Issues in dependencies (report to them directly)
  • TLS configuration issues without practical impact

Contact Information

Remember: Security is a collaborative effort. Thank you for helping keep Better Auth and its users secure!

Documenting

Documentation Guide for Better Auth

Introduction

Introduction to Better Auth.

Edit on GitHub

On this page