The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.
Learn more about Securing Jenkins in the Jenkins User Handbook.
Security advisories are the primary way to publicly inform Jenkins users about security issues in Jenkins and Jenkins plugins. You can find all past security advisories in our security advisories archive.
We announce the publication of a new security advisory through multiple channels:
We send an email notification to the public
jenkinsci-advisories Google group with a short overview of affected components and a link to the security advisory. Only Jenkins security team members can post. You can subscribe and unsubscribe via email.
We send an email notification to the
oss-security mailing list with excerpts of the security advisory.
We publish an RSS feed for the jenkins.io/security/advisories/ page.
Additionally, Jenkins administrators are informed about published security issues directly in Jenkins if they have affected versions of Jenkins or plugins installed.
Finally, the Jenkins project is a CVE Numbers Authority, and we submit CVE metadata simultaneously with the publication of security advisories, allowing automated security tools using CVE information to identify vulnerable installations.
Even if you run Jenkins on a private network and trust everyone in your team, security issues in Jenkins can still impact you:
If you find a vulnerability in Jenkins, please report it in the issue tracker under the SECURITY project. This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. We provide issue reporting guidelines and an overview of our process on Reporting Security Vulnerabilities.
If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list:
|Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog.|
We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However the number and diversity of plugins and maintainers' autonomy make this impossible to guarantee.
Information about how we schedule security advisories and security updates.
Guidelines for developing security fixes in the Jenkins project.
The Jenkins security team contacted me about a security vulnerability. Now what?
This page explains everything Jenkins users and administrators need to know about the Jenkins security process.
The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project.
The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer who triage and fix security vulnerabilities.
These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.