As this is the first public version of App Identity, security updates will be applied on a rolling basis both to the specification and to the reference implementations.

The specification is a living document and is supported for two major versions unless otherwise noted.

Security reports for the version 1 algorithm will not be accepted. It has a well-known token lifetime issue and exists solely to provide support to already existing apps until they can be upgraded.

A future version of the specification will shift from recommending against the use of version 1 to prohibiting the use of version 1.

If there is a flaw in the specification, security releases will be made to the two most recent major releases of each reference implementation that supports the active specification version.

If we have released versions 1.5.3, 2.3.4, and 3.2.1 of the Ruby reference implementation which supports specification version 4, security updates will be released for 2.3.x and 3.2.x only.

Please use the Tidelift security contact for reporting security vulnerabilities. Tidelift will coordinate the fix and disclosure.

Alternatively, security vulnerabilities may be sent to [email protected] with the text App Identity in the subject. They should be encrypted with age using the following public key:

age1jx0sgpca62669tklat8js4e6xlsxhyy00ccl6y94txy3dtva7ymq44k7p6