Jenkins Security

The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.

Learn more about Securing Jenkins in the Jenkins User Handbook.

Security Advisories

Security advisories are the primary way to publicly inform Jenkins users about security issues in Jenkins and Jenkins plugins. You can find all past security advisories in our security advisories archive.

We announce the publication of a new security advisory through multiple channels:

Additionally, Jenkins administrators are informed about published security issues directly in Jenkins if they have affected versions of Jenkins or plugins installed.

Finally, the Jenkins project is a CVE Numbers Authority, and we submit CVE metadata simultaneously with the publication of security advisories, allowing automated security tools using CVE information to identify vulnerable installations.

Even if you run Jenkins on a private network and trust everyone in your team, security issues in Jenkins can still impact you:

  • CSRF vulnerabilities are a risk even if attackers have no direct access to Jenkins.

  • Does Jenkins build source code you haven’t audited, using build scripts someone else wrote, displaying generated reports on its web UI? All of these are potential security concerns.

How to Report a Security Vulnerability

If you find a vulnerability in Jenkins, please report it in the issue tracker under the SECURITY project. This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. We provide issue reporting guidelines and an overview of our process on Reporting Security Vulnerabilities.

If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list: jenkinsci-cert@googlegroups.com

Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog.

To show our appreciation for your help, we’ll send you a small reward for privately reported, valid vulnerability reports.

Learn More

How We Handle Vulnerabilities in Plugins

We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However the number and diversity of plugins and maintainers' autonomy make this impossible to guarantee.

How We Schedule Security Advisories

Information about how we schedule security advisories and security updates.

How We Fix Security Issues

Guidelines for developing security fixes in the Jenkins project.

Information for Plugin Maintainers

The Jenkins security team contacted me about a security vulnerability. Now what?

Information for Administrators

This page explains everything Jenkins users and administrators need to know about the Jenkins security process.

Gifts for Reporters

To show our appreciation for your help, we’ll send you a small reward for privately reported, valid vulnerability reports.

Jenkins CVE Numbers Authority

The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project.

About the Jenkins Security Team

The Jenkins Security Team is a group of volunteers led by the Jenkins Security Officer who triage and fix security vulnerabilities.

Improvements by the Security Team

These are some contributions by members of the Jenkins security team that weren’t delivered as security fixes, but still are security-related.