From dbcd95eb6228b8f2c678ed8c737eb4818904d26e Mon Sep 17 00:00:00 2001 From: Gani Georgiev Date: Tue, 28 Apr 2026 12:10:24 +0300 Subject: [PATCH] updated the security policy --- .github/SECURITY.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 88c45fbb..77abbe3b 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -72,6 +72,18 @@ If someone is able to tamper with the OAuth2 responses then the entire OAuth2 fl ~Nonetheless, in future PocketBase releases there will be [extra `localhost` domain like checks](https://github.com/orgs/pocketbase/projects/2/views/1?pane=issue&itemId=159545722) when assigning the OAuth2 avatar URL to a `file` field that will further minimize the risk of internal network probing requests in case of a vulnerable OAuth2 provider.~ _Done._ +
+Users enumeration + +This is a common and usually valid report but there is no easy solution without confusing and degrading the users experience. + +Some endpoints, like the user create/register, can be used for username or emails enumeration based on various response heuristics - timing, specific error messages, etc. + +In many places where applicable we've tried to minimize the impact by using constant time checks, returning non-descriptive error messages, applying an internal rate limit for some operations, etc. but it is not bulletproof and if somebody wants to find out if a user is registered they will be able to do it one way or another. + +If you think that there is a place where we can improve the handling without hurting too much the user experience, feel free to open a regular public issue and it will be considered. +
+
disintegration/imaging CVE-2023-36308