CloudBees Vulnerability Reporting

We take security very seriously and investigate all reported vulnerabilities. We want to keep our software and services safe for everybody.  

If you have discovered a security vulnerability in one of our products we appreciate your responsible disclosure.  Please contact our security team at If you wish to encrypt your email to us, you may use GPG - our key is 0xC493F3199804F850 and may be downloaded here.

Please note that the Jenkins project maintains its own disclosure resource for security vulnerabilities.

To allow us to more quickly respond to your report, please provide related supporting material that will aid us in understanding the severity and nature of the vulnerability.  This includes any logs or proof-of-concept code that will better help us understand how to recreate the issue.

We will review your submission and assign it a tracking identifier.  We will then respond to you with acknowledgement and information on next steps.  Any information you share with us as part of this process will be kept confidential within CloudBees.

CloudBees public notifications are in the form of security bulletins, which are posted in the CloudBees Security Blog.

Evaluation by CloudBees

The security evaluation process follows the steps below:

  1. Vulnerability submitted
  2. Non-automated acknowledgement of receipt of your submission within 24 hours
  3. CloudBees performs initial investigation
  4. Confirmation of result and plan for resolution and public disclosure
  5. CloudBees resolves / mitigates the vulnerability and notifies impacted customers
  6. Public notification via a security bulletin

You will receive progress updates from us at least every week.

Public Notification

If applicable, CloudBees will coordinate public disclosure of confirmed vulnerabilities with you. We would prefer that our respective public disclosures be coordinated for the protection of our customers and their data. You may choose to be credited for the discovery.

In order to protect our customers and their data, we request that you not share any information about a potential vulnerability in any public setting until we have researched, and addressed the reported vulnerability and informed customers if needed. We ask that you do not post or share any data belonging to our customers.