The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.
Learn more about Securing Jenkins in the Jenkins User Handbook.
Security advisories are the primary way to publicly inform Jenkins users about security issues in Jenkins and Jenkins plugins. You can find all past security advisories in our security advisories archive.
We announce the publication of a new security advisory through multiple channels:
We send an email notification to the public jenkinsci-advisories
Google group with a short overview of affected components and a link to the security advisory. Only Jenkins security team members can post. You can subscribe and unsubscribe via email.
We send an email notification to the oss-security
mailing list with excerpts of the security advisory.
We publish an RSS feed for the jenkins.io/security/advisories/ page.
Additionally, Jenkins administrators are informed about published security issues directly in Jenkins if they have affected versions of Jenkins or plugins installed.
Finally, the Jenkins project is a CVE Numbers Authority, and we submit CVE metadata simultaneously with the publication of security advisories, allowing automated security tools using CVE information to identify vulnerable installations.
Even if you run Jenkins on a private network and trust everyone in your team, security issues in Jenkins can still impact you:
|
If you find a vulnerability in Jenkins, please report it in the issue tracker under the SECURITY project.
We provide issue reporting guidelines and an overview of our process on Reporting Security Vulnerabilities.
We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However the number and diversity of plugins and maintainers' autonomy make this impossible to guarantee.
Information about how we schedule security advisories and security updates.
Guidelines for developing security fixes in the Jenkins project.
The Jenkins security team contacted me about a security vulnerability. Now what?
This page explains everything Jenkins users and administrators need to know about the Jenkins security process.
The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project.
The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer who triage and fix security vulnerabilities.
These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.