At Puppet, we take the security of our products seriously. We respond to security issues and concerns promptly, and when necessary we release new versions of the product to address vulnerabilities or security issues.
Puppet not only issues vulnerability announcements for our own products, we also issue advisories for open source projects included in Puppet products. When responding to a potential vulnerability, we always err on the side of issuing a CVE (Common Vulnerabilities & Exposure) if we are unsure how best to proceed. We believe being transparent and raising awareness is too important to do any less.
If we are unable to determine the complete impact of a vulnerability in software we include as part of Puppet Enterprise, we write a patch and issue an update. When we issue patches for our open source projects and for Puppet Enterprise, we communicate immediately with distributors of Puppet, so they can make updates to their own distributions and products available when the vulnerability is made public.