Our advisories are published on GitHub,
all linked to the main rudder repository.
You can report any security vulnerability affecting Rudder sources, packages, or infrastructure (repositories, websites, etc.) you have found by contacting the Rudder security team either:
- By email at security@rudder.io
- 🔑 You can encrypt your messages using our GPG key
(fingerprint:
340C 9645 2F9A 816C 330A 99B7 C854 668E 3617 3DB3)
- 🔑 You can encrypt your messages using our GPG key
(fingerprint:
- By using private vulnerability reporting on GitHub
If you have not received a reply to your report within 48 hours, you can ask for updates on our chat room. As it is a public channel, please don't discuss specific details there, simply say you are waiting for a response from the security team.
Security issues are treated in priority. Sepending on its severity, an issue may be fixed in the next planned patch release or trigger a quick dedicated patch release.
When the fixed version is published, we mention the presence of security fixes (without specifics) in the change log. We later publish a detailed advisory, after an embargo period which depends on the vulnerability severity (but never more than 3 months).
The list of currently supported versions, receiving security updates, is available in the documentation.