chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,50 @@
|
||||
---
|
||||
title: "Security & vulnerability reporting"
|
||||
description: "How to report security issues in Trigger.dev, our response targets, and how self-hosters receive security notices."
|
||||
sidebarTitle: "Security"
|
||||
---
|
||||
|
||||
We take the security of Trigger.dev seriously, for both Cloud and self-hosted deployments. This page covers how to report a vulnerability, what to expect, and how to stay informed about security releases.
|
||||
|
||||
<Warning>
|
||||
Do not report security vulnerabilities through public GitHub issues, pull requests, or Discord. Use one of the private channels below.
|
||||
</Warning>
|
||||
|
||||
## Reporting a vulnerability
|
||||
|
||||
<Steps>
|
||||
<Step title="Choose a private channel">
|
||||
- **GitHub (preferred):** open a private report from the repository's **Security** tab using **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)).
|
||||
- **Email:** `security-advisories@trigger.dev`
|
||||
</Step>
|
||||
<Step title="Include the details">
|
||||
A description and impact, steps to reproduce (a proof of concept helps), affected versions/components, and any suggested fix.
|
||||
</Step>
|
||||
<Step title="We track it privately">
|
||||
Every report is tracked in a private GitHub Security Advisory. If you email us, we open the advisory on your behalf.
|
||||
</Step>
|
||||
</Steps>
|
||||
|
||||
## What to expect
|
||||
|
||||
| Stage | Target |
|
||||
| --- | --- |
|
||||
| Acknowledgement | within 3 business days |
|
||||
| Validation + CVSS 3.1 severity assessment | within 1 week |
|
||||
|
||||
We score issues with CVSS 3.1 and prioritise remediation by severity:
|
||||
|
||||
| Severity (CVSS 3.1) | Target time to resolve |
|
||||
| --- | --- |
|
||||
| Critical (9.0–10.0) | 7 days |
|
||||
| High (7.0–8.9) | 30 days |
|
||||
| Medium (4.0–6.9) | 90 days |
|
||||
| Low (0.1–3.9) | As needed |
|
||||
|
||||
<Note>
|
||||
These are best-effort targets measured from when we validate and accept a report, not guarantees. We follow coordinated disclosure with a default 90-day window, and publish a GitHub Security Advisory (requesting a CVE where applicable) once a fix ships.
|
||||
</Note>
|
||||
|
||||
## Supported versions
|
||||
|
||||
We patch the **latest released version line** only. Run the latest version-tagged release to receive security fixes — see [Self-hosting overview](/self-hosting/overview).
|
||||
Reference in New Issue
Block a user