BlogContact SalesTry Puppet 
Search Puppet.com
Why Puppet

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

Use Cases
Puppet Enterprise LogoGet Puppet Enterprise

First 10 nodes are free!

Products
Pricing & Packaging
Integrations
Puppet Compass Logo
Puppet Compass

Puppet Compass is your learning portal for tools and best practices to address common business challenges.

Professional services
Support
Open Source Puppet Assist
Your one-stop shop for exclusive tools to enhance your efficiency using Open Source Puppet.
Custom consulting services

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Puppet Forge

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

EcosystemOpen Source Projects
Community
Contribute
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Product Documentation
Resource library
Customers
Partners
Featured Partners
Servicenow Logo
Splunk Logo
Tenable Logo
Puppet Events
About Us

Puppet takes the risk out of change. We meet you where you are today and take you where you need to go.

CompanyWorking at Puppet
Press & news
Events
It's our community that makes Puppet great. Connect with Puppet users and employees.
homesecurity

Security

Vulnerability submission policy

Puppet supports coordinated disclosure of security vulnerabilities.

We have separate processes for reporting security issues with our products and with our infrastructure. Find below the full submission process for each.

To be informed of new vulnerability announcements, please subscribe to the Puppet Security Announce list.

Security announcements

If you wish to be informed as security updates are released, join our mailing list.

Infrastructure Security

This process should be followed for reporting issues with Puppet infrastructure:

  • puppet.com
  • puppetconf.com
  • docs.puppet.com
  • tickets.puppet.com
  • ask.puppet.com
  • yum/apt.puppet.com
  • and any of our other web properties except the Forge

Product Security

This process should be followed for reporting issues with any Puppet products and open source projects, such as Puppet Enterprise, open source Puppet, MCollective, PuppetDB, as well as Puppet Forge modules authored by Puppet.

This process should also be followed for any security issues related to packages we distribute. However, please follow the infrastructure security process for the infrastructure hosting those packages (yum/apt.puppet.com, etc.)

Review our Submission Process

Latest versions of our software

Vulnerability disclosure & reporting philosophy

At Puppet, we take the security of our products seriously. We respond to security issues and concerns promptly, and when necessary we release new versions of the product to address vulnerabilities or security issues.

Puppet not only issues vulnerability announcements for our own products, we also issue advisories for open source projects included in Puppet products. When responding to a potential vulnerability, we always err on the side of issuing a CVE (Common Vulnerabilities & Exposure) if we are unsure how best to proceed. We believe being transparent and raising awareness is too important to do any less.

If we are unable to determine the complete impact of a vulnerability in software we include as part of Puppet Enterprise, we write a patch and issue an update. When we issue patches for our open source projects and for Puppet Enterprise, we communicate immediately with distributors of Puppet, so they can make updates to their own distributions and products available when the vulnerability is made public.

longform security
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.