homesecurity

Puppet's vulnerability submission process

Security policy

Puppet supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Puppet products, and Puppet distributed packages or infrastructure.

Out-of-scope:

  • Software version or banner disclosures
  • Directory traversal on yum, apt, or downloads.puppet.com where traversal is explicitly desired
  • Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
  • Brute force attempts (for example, log-in and forgot password pages don’t have lockouts)
  • Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)
  • Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn’t welcome, though specific issues with those configurations are.

To report a vulnerability contact the Puppet security team at security@puppet.com.

Contact the Puppet security team via encrypted communication using our PGP Public key:

Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format. It can also be retrieved and verified from the MIT Key Server.

We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.

Thank you for supporting Puppet’s coordinated disclosure process!

longform security