The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.
千亿体育网址Learn more about securing Jenkins in the Jenkins User Handbook:
Security advisories are the primary way to publicly inform Jenkins users about security issues in Jenkins and Jenkins plugins. You can find all past security advisories in our security advisories archive.
千亿体育网址We announce the publication of a new security advisory through multiple channels:
We send an email notification to the public
jenkinsci-advisories千亿体育网址 Google group with a short overview of affected components and a link to the security advisory:
We send an email notification to the mailing list with excerpts of the security advisory.
千亿体育网址Additionally, Jenkins administrators are informed about published security issues directly in Jenkins if they have affected versions of Jenkins or plugins installed.
Finally, the Jenkins project is a CVE Numbers Authority千亿体育网址, and we submit CVE metadata simultaneously with the publication of security advisories, allowing automated security tools using CVE information to identify vulnerable installations.
千亿体育网址Even if you run Jenkins on a private network and trust everyone in your team, security issues in Jenkins can still impact you:
If you find a vulnerability in Jenkins, please report it in the issue tracker under the . This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. We provide issue reporting guidelines and an overview of our process on Reporting Security Vulnerabilities.
If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list:
To show our appreciation for your help, we’ll send you a small reward for privately reported, valid vulnerability reports.
We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However the number and diversity of plugins and maintainers' autonomy make this impossible to guarantee.
千亿体育网址Information about how we schedule security advisories and security updates.
Guidelines for developing security fixes in the Jenkins project.
The Jenkins security team contacted me about a security vulnerability. Now what?
千亿体育网址This page explains everything Jenkins users and administrators need to know about the Jenkins security process.
千亿体育网址To show our appreciation for your help, we’ll send you a small reward for privately reported, valid vulnerability reports.
The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project.
The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer who triage and fix security vulnerabilities.
These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.