|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +We take the security of Trigger.dev seriously — for both our Cloud service and self-hosted deployments. This document explains how to report a vulnerability and what to expect from us. |
| 4 | + |
| 5 | +## Reporting a vulnerability |
| 6 | + |
| 7 | +**Please do not report security vulnerabilities through public GitHub issues, pull requests, or our Discord.** |
| 8 | + |
| 9 | +Use one of these private channels instead: |
| 10 | + |
| 11 | +1. **GitHub (preferred):** Open a private report from the repository's **Security** tab — click **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)). |
| 12 | +2. **Email:** `security-advisories@trigger.dev` |
| 13 | + |
| 14 | +Please include as much of the following as you can: |
| 15 | + |
| 16 | +- A description of the vulnerability and its impact |
| 17 | +- Steps to reproduce, ideally with a proof of concept |
| 18 | +- Affected version(s) and component(s) |
| 19 | +- Any suggested remediation |
| 20 | + |
| 21 | +If you report by email, we will open a private GitHub Security Advisory to track the issue. All reports — however they reach us — are tracked there. |
| 22 | + |
| 23 | +## What to expect |
| 24 | + |
| 25 | +| Stage | Target | |
| 26 | +| --- | --- | |
| 27 | +| Acknowledgement of your report | within 3 business days | |
| 28 | +| Validation and severity assessment (CVSS 3.1) | within 1 week | |
| 29 | + |
| 30 | +We assess severity using CVSS 3.1 and prioritise remediation accordingly: |
| 31 | + |
| 32 | +| Severity (CVSS 3.1) | Target time to resolve | |
| 33 | +| --- | --- | |
| 34 | +| Critical (9.0–10.0) | 7 days | |
| 35 | +| High (7.0–8.9) | 30 days | |
| 36 | +| Medium (4.0–6.9) | 90 days | |
| 37 | +| Low (0.1–3.9) | As needed | |
| 38 | + |
| 39 | +These are best-effort targets, measured from the point we validate and accept a report — not guarantees. Real-world exploitability may lead us to escalate an issue beyond its base score. |
| 40 | + |
| 41 | +## Coordinated disclosure |
| 42 | + |
| 43 | +We follow coordinated disclosure. Please give us a reasonable opportunity to investigate and ship a fix before any public disclosure. Our default disclosure window is 90 days from acceptance, though we aim to resolve issues sooner. |
| 44 | + |
| 45 | +Once a fix is released we publish a GitHub Security Advisory (and request a CVE where applicable), and we credit reporters unless you ask to remain anonymous. |
| 46 | + |
| 47 | +## Supported versions |
| 48 | + |
| 49 | +We patch the **latest released version line** only. Self-hosters should run the latest version-tagged release to receive security fixes. See the [self-hosting documentation](https://trigger.dev/docs/self-hosting/overview). |
0 commit comments