About the Jenkins Security Team

The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer. Our goal is to improve the security of Jenkins and to give administrators the tools and information they need to secure their Jenkins instances.

What We Do

  1. We look for security issues in Jenkins and plugins

  2. We process incoming reports of security issues in any component

  3. We work with reporters and maintainers to get security issues fixed

  4. We develop Jenkins (core) security fixes

  5. We review and test security fixes in core and plugins

  6. We write and publish security advisories

  7. We implement security-related features and improvements (and you can too!)

Security vulnerabilities in core are typically resolved by members of this team, while vulnerabilities in plugins are generally resolved in collaboration with the plugin maintainer(s).

Joining the Team

Members of the security team have access to sensitive information, so membership is limited to people with a history of contributions to the Jenkins project and is subject to approval by the Jenkins Security Officer.

Contact the Jenkins security team via email to the private jenkinsci-cert@googlegroups.com mailing list if you’re interested.

Expectations

As a member of the security team you will be expected to regularly contribute, or you may be removed from the team again to limit the exposure of sensitive security-related information. Security team membership is specifically for those working on Jenkins (core) security fixes or on improving Jenkins security beyond specific components. These contributions need to be not otherwise feasible without the additional access to sensitive information granted through the membership. For example, as a plugin maintainer, you are already able to address security issues in plugins you maintain even without being a security team member.

There are many ways to contribute to the security of Jenkins that don’t require you to be on the security team. Learn more: Other Ways to Contribute

Technical Requirements

In order to join, you’ll need to have:

  1. a Jenkins community account and have logged in to Artifactory and Jira before,

  2. a GitHub account with two-factor authentication enabled,

  3. a Contributor License Agreement (CLA) in place, and

  4. a registered nickname on Freenode IRC.

Other Ways to Contribute

You can contribute to the security of Jenkins and its plugin ecosystem even without being a security team member:

  • Identify and report security issues, even in plugins you maintain yourself. As a reporter, you can include proposed fixes or ask the maintainer to collaborate with you on a fix. As a maintainer, please inform us about security issues in your own plugins, even if you fix the issue yourself. This lets us properly inform users.

  • Inform us about plugin security updates without a corresponding security advisory. Plugin maintainers may be unaware of our process, so this helps ensure all security updates are properly announced.

  • Document security best practices for Jenkins administrators and Jenkins developers.

  • As a Jenkins developer, develop features and improvements that help admins secure their instance. Check out these improvements delivered by security team members over the years.

  • As a plugin maintainer:

    • Be responsive when contacted by the security team.

    • Consider the security impact of features and improvements you consider adding.