chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 13:32:57 +08:00
commit cd420f9332
4811 changed files with 884702 additions and 0 deletions
+50
View File
@@ -0,0 +1,50 @@
---
title: "Security & vulnerability reporting"
description: "How to report security issues in Trigger.dev, our response targets, and how self-hosters receive security notices."
sidebarTitle: "Security"
---
We take the security of Trigger.dev seriously, for both Cloud and self-hosted deployments. This page covers how to report a vulnerability, what to expect, and how to stay informed about security releases.
<Warning>
Do not report security vulnerabilities through public GitHub issues, pull requests, or Discord. Use one of the private channels below.
</Warning>
## Reporting a vulnerability
<Steps>
<Step title="Choose a private channel">
- **GitHub (preferred):** open a private report from the repository's **Security** tab using **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)).
- **Email:** `security-advisories@trigger.dev`
</Step>
<Step title="Include the details">
A description and impact, steps to reproduce (a proof of concept helps), affected versions/components, and any suggested fix.
</Step>
<Step title="We track it privately">
Every report is tracked in a private GitHub Security Advisory. If you email us, we open the advisory on your behalf.
</Step>
</Steps>
## What to expect
| Stage | Target |
| --- | --- |
| Acknowledgement | within 3 business days |
| Validation + CVSS 3.1 severity assessment | within 1 week |
We score issues with CVSS 3.1 and prioritise remediation by severity:
| Severity (CVSS 3.1) | Target time to resolve |
| --- | --- |
| Critical (9.010.0) | 7 days |
| High (7.08.9) | 30 days |
| Medium (4.06.9) | 90 days |
| Low (0.13.9) | As needed |
<Note>
These are best-effort targets measured from when we validate and accept a report, not guarantees. We follow coordinated disclosure with a default 90-day window, and publish a GitHub Security Advisory (requesting a CVE where applicable) once a fix ships.
</Note>
## Supported versions
We patch the **latest released version line** only. Run the latest version-tagged release to receive security fixes — see [Self-hosting overview](/self-hosting/overview).