Keycloak Bug Bounty Program

About our project

Keycloak centralizes IAM, decoupling applications from user storage, authentication, and authorization. It manages the entire auth flow—federating with LDAP, Active Directory, or social logins—and issues secure JWTs to applications. This consolidation allows administrators to enforce universal security policies, such as MFA and fine-grained authorization, from a single control plane instead of embedding them in dozens of microservices.

As a CNCF project, Keycloak is purpose-built for securing cloud-native microservices. It is designed to run in containers and be managed by Kubernetes Operators. Its Quarkus-based architecture provides the low memory footprint and fast startup essential for horizontal scaling. In this stack, Keycloak acts as the security backbone, issuing tokens that are validated by API gateways or service meshes to secure all requests within the cluster.

About the scope

Submissions must target the latest stable release of in-scope components. Issues specific only to older versions, release candidates, or nightly builds are out of scope unless confirmed reproducible on the latest stable release.

Only vulnerabilities within Supported features are in scope. Any issues identified in features explicitly marked as Preview, Experimental, or Deprecated in the official documentation or release notes are considered out of scope.

In Scope

For the list of specific components and their latest stable versions covered by this program, always refer to the official Keycloak Downloads page: https://www.keycloak.org/downloads. The scope of this program is limited to the three following assets : 

• Keycloak Server: The latest stable release of the Keycloak server (Quarkus distribution), whether downloaded as a ZIP/TAR.GZ or used via the official container image. 
• Keycloak Operator: The latest stable release of the Keycloak Operator for Kubernetes and OpenShift. 
• JavaScript Client Adapter: The latest stable release of the official JavaScript adapter.

Out of scope

This programs will only consider reports about the latest stable versions, which means that the following is considered out of the scope of this program :

• Unsupported or deprecated versions
• Archived releases
• Nightly builds
• Release candidates (RCs)
• Demonstration and Non-Production Code
• All "Quickstarts" and any other example code.
• Test code and testing tools.

Regarding client libraries and adapters, the following will be considered as out of scope :

• Client adapter aside from the official JavaScript adapter, most notably the Node.js adapter
• Client Libraries
• All Java-based "Client Libraries" are considered out of scope, this encompass:
  • Admin Client
  • Authorization Client
  • Policy Enforcer
  • Common Module

In addition to the above, some additional generic exclusions also apply :

• Third party licences and dependencies, for these any issue must be reported to the corresponding project/maintainers and not to our program
• Any issue pertaining to underlying infrastructure, including bugs in any other container runtime or orchestration platform (Kubernetes, OpenShift, Docker, Podman)
• Reports should focus on the Keycloak Operator code itself, not the platform it runs on
• Vulnerabilities in third-party dependencies within container images, including CVEs or flaws in operating system packages (RPMs, DEBs), system libraries (like glibc, openssl), or base container images (like UBI, Alpine) used by the Keycloak Server or Operator images as reports should target vulnerabilities in the Keycloak application code, not pre-existing flaws in its bundled dependencies
• Documentation, blog posts, and website issues (e.g., typos, broken links)
• Non-security-related bugs/issues

Furthermore, reports about behaviours that relies on leveraging a legitimate access as an administrator won't be considered for reward. Being administrator of a Keycloak realm grants extended rights which could be abused as for any application. Due to our threat model and context of use we won't consider reports that leverage legitimate administrator access under the assumption that the administrator may have malicious intent and could abuse his level of rights.

Documentation

This section provides links to the official Keycloak documentation for in-scope components. Security researchers should use these resources to understand the intended architecture, configuration, and protocol flows. 

• Server Administration Guide: This is the most critical resource. Pay close attention to sections on security, realms, users, and tokens. 
• Securing Applications and Services Guide: This explains the protocol flows (OIDC, OAuth 2.0, SAML) from the server's perspective. 
• Server Developer Guide: Useful for understanding how to build custom extensions (Providers). 
• Operator Documentation: This is the main documentation hub for the Operator. 
• JavaScript Adapter Guide: This guide details all initialization options and functions. 
• Keycloak repository : includes the code for Keycloak Server, Keycloak Operator and the JavaScript adapter.

Program rules

About report's content

To qualify for a reward, your report must include: 

• A clear description of the vulnerability. 
• Details about the vulnerable component, endpoint, parameters, and conditions required to trigger the bug. 
• The Keycloak version(s) affected. 
• Clear, step-by-step instructions to reproduce the vulnerability, including necessary setup and relevant HTTP requests. 
• Recommendations for fixing the vulnerability. 

A detailed template is provided during submission – you must use it. Reports that fail to meet these requirements or significantly deviate from the template may be ineligible for rewards or closed without action. Spamming, submitting intentionally low-quality reports, or repeated submission of invalid issues may result in temporary or permanent suspension from the program.

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on our applications, servers, networks or infrastructure are strictly forbidden
• All reports must be validated manually, submission from automated tools won't be considered and may lead to sanctions (code analysis tools, AI, …)
• Targeting other users' instances is forbidden, only test against your own
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• Same with secrets, keys and credentials
• No vulnerability disclosure, full, partial or otherwise, is allowed without prior agreement from us
• Please avoid submitting security issues on our repositories before reporting it to this program, your report might be considered as a duplicate if a related submission already exists on our repositories
• The following topics won’t be considered as a valid finding eligible for reward nonetheless, you’re welcome to suggest improvements about it through our repositories but not our bug bounty program :
  • Code improvements/code quality issues without security impact
  • Insecure default/basic configurations
  • Mistakes or lack of precision in our documentation

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• You must not break any of the testing policy rules listed above
• You must not be a former or current employee nor a maintainer of our project or one of its contractors
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and the company, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• Identical vulnerabilities present in different versions will be considered as a single issue/will warrant a single reward
• Multiple vulnerabilities caused by one underlying issue will be considered as a single issue/will warrant a single reward

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis