Jenkins CVE Numbers Authority

The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project (listed on and/or hosted in the jenkinsci GitHub organization). This means that the Jenkins project assigns CVE IDs for vulnerabilities in these components.


Contact us at if you have any questions about the Jenkins CNA.

Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog.

CVE Assignment Process

CVEs for privately reported and tracked security vulnerabilities are assigned shortly (several hours to a few days) before publication in a security advisory.