Puppet's vulnerability submission process

Security Policy

Puppet supports coordinated disclosure of security vulnerabilities. Please note that we have a process for reporting security issues with our infrastructure and a process for reporting security issues with our product line.

Infrastructure Security

Please report security issues you find for Puppet infrastructure, including:

  • puppet.com
  • puppetconf.com
  • docs.puppet.com
  • tickets.puppet.com
  • ask.puppet.com
  • yum/apt.puppet.com

and any of our other web properties, except the Forge, which follows the product reporting process, below.

While we usually credit security researchers who make substantial contributions to our product security, we do not typically award credit for reporting infrastructure security issues on our web properties.

We do not need to receive reports on the following types of issues:

  • Software version or banner disclosures
  • Directory traversal on yum, apt, or downloads.puppet.com where traversal is explicitly desired
  • Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
  • Brute force attempts (for example, log-in and forgot password pages don’t have lockouts)
  • Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)

To contact the Puppet infrastructure team, use the following email address: security-infrastructure@puppet.com.

Product Security

Please report security issues you find in any Puppet products, including, but not limited to, Puppet Enterprise, Puppet, MCollective, and the Puppet Forge. In addition we ask that you report any security issues related to packages we distribute. However, for issues related to the infrastructure hosting those packages (for example, yum or apt.puppet.com), contact the Puppet infrastructure team.

You can contact the Puppet security team via encrypted communication using our GPG Public Key:

Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format. It can also be retrieved and verified from the MIT Key Server.

Puppet is happy to fully disclose all details of a security vulnerability, but, in the interest of coordinated disclosure, we ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before anyone publishes the details.

We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.

To contact the Puppet product security team, use the following email address: security@puppet.com.

↑ Back to top