We take security very seriously and investigate all reported vulnerabilities. We want to keep our software and services safe for everybody.
CloudBees uses HackerOne for reporting and vulnerability management, and where appropriate bounty payout. If you have a report, you can submit it via our HackerOne program.
You can email firstname.lastname@example.org if you need an invitation to join our program.
In and out of scope items are defined at our program policy page at the above link.
Please note that the Jenkins project maintains its own disclosure resource for security vulnerabilities. Any reports submitted via HackerOne that apply to the Jenkins project will be forwarded.