Skip to content

Add CVE commitment clarity #511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JamesW1 merged 1 commit into from
Dec 4, 2025
Merged

Add CVE commitment clarity #511

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions content/community/4.reporting-and-support/3.security-reporting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ title: Security Reporting
description: How to report security issues in Directus.
---

### Reporting a Security Issue

If you believe you have discovered a security issue within a Directus product or service, please [open a new private security vulnerability report through GitHub](https://github.com/directus/directus/security/advisories/new). Alternatively, reach out to us directly over email: [security@directus.io](mailto:security@directus.io). We will then open a GitHub security advisory for tracking the fix on your behalf.

Directus values the members of the independent security research community who find security vulnerabilities and work with our team so that proper fixes can be issued to users. Our policy is to credit all researchers in the fix's release notes. In order to receive credit, security researchers must follow responsible disclosure practices, including:
Expand All @@ -11,3 +13,10 @@ Directus values the members of the independent security research community who f
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concepts

You can learn more about how we approach security and compliance at Directus [here](https://directus.io/security).

### Approach to Vulnerability Management

Directus takes a proactive approach to security by continuously monitoring for vulnerabilities using automated tools as part of our engineering pipelines. We are committed to addressing all High and Critical severity vulnerabilities that directly affect Directus. Our priority is to resolve vulnerabilities that impact Directus itself immediately, with fixes posted to the [Security tab](https://github.com/directus/directus/security) on GitHub after release.

For third-party package vulnerabilities that do not cause any vulnerability in Directus itself, we evaluate these on a case-by-case basis and address them during our regular dependency update cycles. We also work to resolve Medium and Low severity issues when they represent minimal effort to fix. This focused approach ensures we allocate our security resources effectively while maintaining the highest standards of protection for our users.