Puppet supports coordinated disclosure of security vulnerabilities.
We have separate processes for reporting security issues with our products and with our infrastructure. Find below the full submission process for each.
To be informed of new vulnerability announcements, please subscribe to the Puppet Security Announce list.
This process should be followed for reporting issues with Puppet infrastructure:
- and any of our other web properties except the Forge
This process should be followed for reporting issues with any Puppet products and open source projects, such as Puppet Enterprise, open source Puppet, MCollective, PuppetDB, as well as Puppet Forge modules authored by Puppet.
This process should also be followed for any security issues related to packages we distribute. However, please follow the infrastructure security process for the infrastructure hosting those packages (yum/apt.puppet.com, etc.)
At Puppet, we take the security of our products seriously. We respond to security issues and concerns promptly, and when necessary we release new versions of the product to address vulnerabilities or security issues.
Puppet not only issues vulnerability announcements for our own products, we also issue advisories for open source projects included in Puppet products. When responding to a potential vulnerability, we always err on the side of issuing a CVE (Common Vulnerabilities & Exposure) if we are unsure how best to proceed. We believe being transparent and raising awareness is too important to do any less.
If we are unable to determine the complete impact of a vulnerability in software we include as part of Puppet Enterprise, we write a patch and issue an update. When we issue patches for our open source projects and for Puppet Enterprise, we communicate immediately with distributors of Puppet, so they can make updates to their own distributions and products available when the vulnerability is made public.