-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
chore: add security docs #4192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+106
−1
Merged
chore: add security docs #4192
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Security Policy | ||
|
|
||
| We take the security of Trigger.dev seriously — for both our Cloud service and self-hosted deployments. This document explains how to report a vulnerability and what to expect from us. | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| **Please do not report security vulnerabilities through public GitHub issues, pull requests, or our Discord.** | ||
|
|
||
| Use one of these private channels instead: | ||
|
|
||
| 1. **GitHub (preferred):** Open a private report from the repository's **Security** tab — click **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)). | ||
| 2. **Email:** `security-advisories@trigger.dev` | ||
|
|
||
| Please include as much of the following as you can: | ||
|
|
||
| - A description of the vulnerability and its impact | ||
| - Steps to reproduce, ideally with a proof of concept | ||
| - Affected version(s) and component(s) | ||
| - Any suggested remediation | ||
|
|
||
| If you report by email, we will open a private GitHub Security Advisory to track the issue. All reports — however they reach us — are tracked there. | ||
|
|
||
| ## What to expect | ||
|
|
||
| | Stage | Target | | ||
| | --- | --- | | ||
| | Acknowledgement of your report | within 3 business days | | ||
| | Validation and severity assessment (CVSS 3.1) | within 1 week | | ||
|
|
||
| We assess severity using CVSS 3.1 and prioritise remediation accordingly: | ||
|
|
||
| | Severity (CVSS 3.1) | Target time to resolve | | ||
| | --- | --- | | ||
| | Critical (9.0–10.0) | 7 days | | ||
| | High (7.0–8.9) | 30 days | | ||
| | Medium (4.0–6.9) | 90 days | | ||
| | Low (0.1–3.9) | As needed | | ||
|
|
||
| These are best-effort targets, measured from the point we validate and accept a report — not guarantees. Real-world exploitability may lead us to escalate an issue beyond its base score. | ||
|
|
||
| ## Coordinated disclosure | ||
|
|
||
| We follow coordinated disclosure. Please give us a reasonable opportunity to investigate and ship a fix before any public disclosure. Our default disclosure window is 90 days from acceptance, though we aim to resolve issues sooner. | ||
|
|
||
| Once a fix is released we publish a GitHub Security Advisory (and request a CVE where applicable), and we credit reporters unless you ask to remain anonymous. | ||
|
|
||
| ## Supported versions | ||
|
|
||
| We patch the **latest released version line** only. Self-hosters should run the latest version-tagged release to receive security fixes. See the [self-hosting documentation](https://trigger.dev/docs/self-hosting/overview). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| title: "Security & vulnerability reporting" | ||
| description: "How to report security issues in Trigger.dev, our response targets, and how self-hosters receive security notices." | ||
| sidebarTitle: "Security" | ||
| --- | ||
|
|
||
| We take the security of Trigger.dev seriously, for both Cloud and self-hosted deployments. This page covers how to report a vulnerability, what to expect, and how to stay informed about security releases. | ||
|
|
||
| <Warning> | ||
| Do not report security vulnerabilities through public GitHub issues, pull requests, or Discord. Use one of the private channels below. | ||
| </Warning> | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| <Steps> | ||
| <Step title="Choose a private channel"> | ||
| - **GitHub (preferred):** open a private report from the repository's **Security** tab using **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)). | ||
| - **Email:** `security-advisories@trigger.dev` | ||
| </Step> | ||
| <Step title="Include the details"> | ||
| A description and impact, steps to reproduce (a proof of concept helps), affected versions/components, and any suggested fix. | ||
| </Step> | ||
| <Step title="We track it privately"> | ||
| Every report is tracked in a private GitHub Security Advisory. If you email us, we open the advisory on your behalf. | ||
| </Step> | ||
| </Steps> | ||
|
|
||
| ## What to expect | ||
|
|
||
| | Stage | Target | | ||
| | --- | --- | | ||
| | Acknowledgement | within 3 business days | | ||
| | Validation + CVSS 3.1 severity assessment | within 1 week | | ||
|
|
||
| We score issues with CVSS 3.1 and prioritise remediation by severity: | ||
|
|
||
| | Severity (CVSS 3.1) | Target time to resolve | | ||
| | --- | --- | | ||
| | Critical (9.0–10.0) | 7 days | | ||
| | High (7.0–8.9) | 30 days | | ||
| | Medium (4.0–6.9) | 90 days | | ||
| | Low (0.1–3.9) | As needed | | ||
|
|
||
| <Note> | ||
| These are best-effort targets measured from when we validate and accept a report, not guarantees. We follow coordinated disclosure with a default 90-day window, and publish a GitHub Security Advisory (requesting a CVE where applicable) once a fix ships. | ||
| </Note> | ||
|
|
||
| ## Supported versions | ||
|
|
||
| We patch the **latest released version line** only. Run the latest version-tagged release to receive security fixes — see [Self-hosting overview](/self-hosting/overview). |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.