KrakenD Community Edition only fixes the latest version of the software, and does not patch prior versions.

If you are an existing KrakenD customer or partner, please submit a support ticket or contact KrakenD through any Enterprise channels explaining your findings.

If you are not a customer, please email security@krakend.io with your discovery.

As soon as we read and understand your finding we will provide an answer with next steps and possible timelines.

We want to thank you in advance for the time you have spent to follow this issue, as it helps all open source users. We develop our software in the open with the help of a global community of developers and contributors with whom we share a common understanding and trust in the free exchange of knowledge.

KrakenD’s policy is to credit and reward all researchers provided they follow responsible disclosure practices:

They do not publish the vulnerability prior to KrakenD releasing a fix for it.
They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code.
KrakenD does not credit employees of KrakenD for vulnerabilities they have found.

Current rewards could include (but are not limited to):

Public acknowledgement in release notes when a fix for reported security bug is issued
Addition to the KrakenD Contributors Github organization
Opportunity to meet with our technical staff
KrakenD swag

KrakenD DOES NOT provide cash awards for discovered vulnerabilities at this time.

Thank you