50 lines
2.3 KiB
Markdown
50 lines
2.3 KiB
Markdown
# Security Policy
|
||
|
||
We take the security of Trigger.dev seriously — for both our Cloud service and self-hosted deployments. This document explains how to report a vulnerability and what to expect from us.
|
||
|
||
## Reporting a vulnerability
|
||
|
||
**Please do not report security vulnerabilities through public GitHub issues, pull requests, or our Discord.**
|
||
|
||
Use one of these private channels instead:
|
||
|
||
1. **GitHub (preferred):** Open a private report from the repository's **Security** tab — click **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)).
|
||
2. **Email:** `security-advisories@trigger.dev`
|
||
|
||
Please include as much of the following as you can:
|
||
|
||
- A description of the vulnerability and its impact
|
||
- Steps to reproduce, ideally with a proof of concept
|
||
- Affected version(s) and component(s)
|
||
- Any suggested remediation
|
||
|
||
If you report by email, we will open a private GitHub Security Advisory to track the issue. All reports — however they reach us — are tracked there.
|
||
|
||
## What to expect
|
||
|
||
| Stage | Target |
|
||
| --- | --- |
|
||
| Acknowledgement of your report | within 3 business days |
|
||
| Validation and severity assessment (CVSS 3.1) | within 1 week |
|
||
|
||
We assess severity using CVSS 3.1 and prioritise remediation accordingly:
|
||
|
||
| Severity (CVSS 3.1) | Target time to resolve |
|
||
| --- | --- |
|
||
| Critical (9.0–10.0) | 7 days |
|
||
| High (7.0–8.9) | 30 days |
|
||
| Medium (4.0–6.9) | 90 days |
|
||
| Low (0.1–3.9) | As needed |
|
||
|
||
These are best-effort targets, measured from the point we validate and accept a report — not guarantees. Real-world exploitability may lead us to escalate an issue beyond its base score.
|
||
|
||
## Coordinated disclosure
|
||
|
||
We follow coordinated disclosure. Please give us a reasonable opportunity to investigate and ship a fix before any public disclosure. Our default disclosure window is 90 days from acceptance, though we aim to resolve issues sooner.
|
||
|
||
Once a fix is released we publish a GitHub Security Advisory (and request a CVE where applicable), and we credit reporters unless you ask to remain anonymous.
|
||
|
||
## Supported versions
|
||
|
||
We patch the **latest released version line** only. Self-hosters should run the latest version-tagged release to receive security fixes. See the [self-hosting documentation](https://trigger.dev/docs/self-hosting/overview).
|