The Rundeck Security Team

The Rundeck Security Team exists to provide help and advice to Rundeck projects on security issues and to provide coordination of the handling of security vulnerabilities.

REPORTING A VULNERABILITY

We strongly encourage the reporting of potential security vulnerabilities with our Vulnerability Report Form. Please note that the Vulnerability Report Form should only be used for reporting undisclosed security vulnerabilities in Rundeck projects. We cannot accept regular bug reports or other security related queries via the Form. All issues submitted via the Form that does not relate to an undisclosed security problem in a Rundeck project will be ignored.

The general security mailing list address is: security@rundeck.com. This is a private mailing list. Please one form for each vulnerability you are reporting.

VULNERABILITY INFORMATION

Information on the published vulnerabilities for an Rundeck project can usually be found on the project's github wiki. If you can't find the information you are looking for on the project's github wiki, you should ask your question on StackOverflow. The Vulnerability Report Form should not be used to ask questions about : how to configure Rundeck securely; if a published vulnerability applies to specific versions of Rundeck that you are using; if a published vulnerability applies to the configuration of the Rundeck instance you are using; obtaining further information on a published vulnerability; the availability of patches and/or new releases to address a published vulnerability.

VULNERABILITY HANDLING

An overview of the vulnerability handling process is: The reporter reports the vulnerability privately to Rundeck. The appropriate project's security team works privately with the reporter to resolve the vulnerability. A new release of the Rundeck package concerned is made that includes the fix. The vulnerability is publicly announced.