We strongly encourage the reporting of potential security vulnerabilities with our Vulnerability Report Form. Please note that the Vulnerability Report Form should only be used for reporting undisclosed security vulnerabilities in Rundeck projects. We cannot accept regular bug reports or other security related queries via the Form. All issues submitted via the Form that does not relate to an undisclosed security problem in a Rundeck project will be ignored.
The general security mailing list address is: firstname.lastname@example.org. This is a private mailing list. Please one form for each vulnerability you are reporting.
Information on the published vulnerabilities for an Rundeck project can usually be found on the project's github wiki. If you can't find the information you are looking for on the project's github wiki, you should ask your question on StackOverflow. The Vulnerability Report Form should not be used to ask questions about : how to configure Rundeck securely; if a published vulnerability applies to specific versions of Rundeck that you are using; if a published vulnerability applies to the configuration of the Rundeck instance you are using; obtaining further information on a published vulnerability; the availability of patches and/or new releases to address a published vulnerability.
An overview of the vulnerability handling process is: The reporter reports the vulnerability privately to Rundeck. The appropriate project's security team works privately with the reporter to resolve the vulnerability. A new release of the Rundeck package concerned is made that includes the fix. The vulnerability is publicly announced.