Security

Vulnerability submission policy

Puppet supports coordinated disclosure of security vulnerabilities.

We have separate processes for reporting security issues with our products and with our infrastructure. Find below the full submission process for each.

To be informed of new vulnerability announcements, please subscribe to the Puppet Security Announce list.

• Disclosure Process
• Security Disclosure
• Product Security

Security announcements

If you wish to be informed as security updates are released, join our mailing list.

Infrastructure Security

This process should be followed for reporting issues with Puppet infrastructure:

• puppet.com
• puppetconf.com
• docs.puppet.com
• tickets.puppet.com
• ask.puppet.com
• yum/apt.puppet.com
• and any of our other web properties except the Forge

Product Security

This process should be followed for reporting issues with any Puppet products and open source projects, such as Puppet Enterprise, open source Puppet, MCollective, PuppetDB, as well as Puppet Forge modules authored by Puppet.

This process should also be followed for any security issues related to packages we distribute. However, please follow the infrastructure security process for the infrastructure hosting those packages (yum/apt.puppet.com, etc.)

Review our Submission Process

Latest versions of our software

• Puppet Enterprise & components
• Puppet agent & components

Vulnerability disclosure & reporting philosophy

At Puppet, we take the security of our products seriously. We respond to security issues and concerns promptly, and when necessary we release new versions of the product to address vulnerabilities or security issues.

Puppet not only issues vulnerability announcements for our own products, we also issue advisories for open source projects included in Puppet products. When responding to a potential vulnerability, we always err on the side of issuing a CVE (Common Vulnerabilities & Exposure) if we are unsure how best to proceed. We believe being transparent and raising awareness is too important to do any less.

If we are unable to determine the complete impact of a vulnerability in software we include as part of Puppet Enterprise, we write a patch and issue an update. When we issue patches for our open source projects and for Puppet Enterprise, we communicate immediately with distributors of Puppet, so they can make updates to their own distributions and products available when the vulnerability is made public.