Files
triggerdotdev--trigger.dev/SECURITY.md
T
2026-07-13 13:32:57 +08:00

50 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy
We take the security of Trigger.dev seriously — for both our Cloud service and self-hosted deployments. This document explains how to report a vulnerability and what to expect from us.
## Reporting a vulnerability
**Please do not report security vulnerabilities through public GitHub issues, pull requests, or our Discord.**
Use one of these private channels instead:
1. **GitHub (preferred):** Open a private report from the repository's **Security** tab — click **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)).
2. **Email:** `security-advisories@trigger.dev`
Please include as much of the following as you can:
- A description of the vulnerability and its impact
- Steps to reproduce, ideally with a proof of concept
- Affected version(s) and component(s)
- Any suggested remediation
If you report by email, we will open a private GitHub Security Advisory to track the issue. All reports — however they reach us — are tracked there.
## What to expect
| Stage | Target |
| --- | --- |
| Acknowledgement of your report | within 3 business days |
| Validation and severity assessment (CVSS 3.1) | within 1 week |
We assess severity using CVSS 3.1 and prioritise remediation accordingly:
| Severity (CVSS 3.1) | Target time to resolve |
| --- | --- |
| Critical (9.010.0) | 7 days |
| High (7.08.9) | 30 days |
| Medium (4.06.9) | 90 days |
| Low (0.13.9) | As needed |
These are best-effort targets, measured from the point we validate and accept a report — not guarantees. Real-world exploitability may lead us to escalate an issue beyond its base score.
## Coordinated disclosure
We follow coordinated disclosure. Please give us a reasonable opportunity to investigate and ship a fix before any public disclosure. Our default disclosure window is 90 days from acceptance, though we aim to resolve issues sooner.
Once a fix is released we publish a GitHub Security Advisory (and request a CVE where applicable), and we credit reporters unless you ask to remain anonymous.
## Supported versions
We patch the **latest released version line** only. Self-hosters should run the latest version-tagged release to receive security fixes. See the [self-hosting documentation](https://trigger.dev/docs/self-hosting/overview).