Puppet supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Puppet products, and Puppet distributed packages or infrastructure.
To report a vulnerability contact the Puppet security team at firstname.lastname@example.org.
Contact the Puppet security team via encrypted communication using our PGP Public key:
Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6
We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.
Thank you for supporting Puppet’s coordinated disclosure process!