We take security seriously at F5 DevCentral. If you've found something concerning, this is how to get it to the right people quickly.

We advise users to keep on the most recent version of any project in this organization. Older versions of code samples, labs, and workflows may contain unpatched issues or unforeseen consequences.

Do not open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available puts users at risk.

There are two reporting paths depending on what you've found:

For vulnerabilities in F5 products, F5 software, or anything that may affect F5 customers in production, contact the F5 Security Incident Response Team (F5 SIRT):

• F5 customers with an active support contract: contact F5 Technical Support.
• Non-customers: email f5sirt@f5.com.

For more information, see the F5 SIRT vulnerability reporting guidelines at https://www.f5.com/support/report-a-vulnerability.

For issues specific to F5 DevCentral code samples, labs, demos, or community-maintained content in this organization that don't rise to the level of a product vulnerability, email the F5 DevCentral team at devcentralteam@f5.com.

Examples of what fits this path:

• Insecure defaults in a code sample
• Credentials accidentally committed to a community lab
• A demo that teaches an unsafe pattern
• Vulnerable dependencies in a community-maintained tool

If you're unsure which path applies, default to F5 SIRT. They'll route appropriately.

A good report includes:

• Description: what the vulnerability is, in plain terms
• Impact: what could happen if exploited, severity if you can estimate
• Steps to reproduce: enough detail that someone can validate the issue
• Suggested fix: if you have one (optional, but appreciated)
• Your contact information: so we can follow up

After you report, here's roughly how it goes:

1. Acknowledgment: we'll confirm receipt as soon as we can.
2. Initial triage: we'll validate the issue and assess severity.
3. Updates: we'll keep you informed as we investigate and develop a fix.
4. Resolution: fix is developed, tested, and released according to severity.
5. Coordinated disclosure: we publicly disclose after a fix is available and users have had reasonable time to update, typically 30–90 days. You'll be credited in any advisory unless you'd prefer to remain anonymous.

The following generally fall outside what we can act on:

• Issues in outdated or unsupported versions
• Theoretical vulnerabilities without practical impact
• Vulnerabilities in third-party dependencies (please report those upstream)
• Issues requiring extensive user interaction or extremely unlikely scenarios
• Social engineering attacks against our team

Repository-specific security advisories are published on each project's GitHub Security tab when applicable. F5 product security advisories are published at https://my.f5.com/manage/s/article/K4602.

Thanks for helping keep F5 DevCentral projects and the broader F5 community safe.