The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.

Please report security vulnerabilities in the Jenkins issue tracker under the SECURITY project. This project is configured in such a way that only the reporter and the security team can see the details. By restricting access to this potentially sensitive information, we can work on a fix and deliver it before the method of attack becomes well-known.

If you are unable to report using our issue tracker, you can also send your report to the private Jenkins security team mailing list: jenkinsci-cert@googlegroups.com

The Jenkins security team will then file an issue on your behalf, and will work with the maintainers of the affected component(s) to get the issue resolved.

For further details about our scope, issue handling process, or disclosure process, see Reporting Security Vulnerabilities on jenkins.io.