Please use this email: security@openfga.dev to reach out to us regarding any security concerns/vulnerabilities. Please avoid using GitHub issues/discussions for the same.

All vulnerabilities and associated information will be treated with full confidentiality. We strive to reply within 5 business days.

The following are in scope for CVE assignment:

• OpenFGA server and its stable APIs
• Official OpenFGA SDKs (stable releases)
• OpenFGA CLI (stable releases)
• Official tooling (stable releases), including IDE extensions, Helm Charts, GitHub Actions, and Terraform Provider

The following are out of scope for CVE assignment:

• Experimental features: Features marked as experimental are not eligible for CVE assignment. Experimental features are provided as-is, may change or be removed without notice, and do not carry the same security support guarantees as stable features.
• Unverified scanner output: We do not accept reports that consist solely of automated vulnerability scanner output without confirmation that the reported issue actually affects OpenFGA.

If you discover a security issue in an experimental feature, you are still encouraged to report it to security@openfga.dev. We will assess the report and may address it, but it will not be assigned a CVE or treated as a formal security advisory.