Skip to main content

Main navigation

Secondary Navigation

  • Blog
  • Downloads
  • Security
  • Company
    • Press
  • Support
  • Contact
Created with Avocode.

Secondary Navigation

  • Blog
  • Downloads
  • Security
  • Company
    • Press
  • Support
  • Contact
Home
Puppet

Main Navigation - Mega Menu

  • Products

    Puppet Enterprise

    Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.

    Try the full-featured Puppet Enterprise for free on 10 nodes.

    • Overview >>
    • Free Trial >>
    • Product Demo >>
    • Pricing >>

    Puppet Enterprise Extensions

    Puppet Comply
    Find and prevent compliance failures

    Continuous Delivery for Puppet Enterprise
    Build, test, and deploy infrastructure as code faster and easier

    Compliance Enforcement Modules
    Remediate to stay in compliance

    Content & Modules
    Pre-built scripts to automate common tasks

    Product Resources

    • Documentation >>
    • Integrations >>
    • Knowledge Base >>
    • Support >>

    Get Started

    Puppet Enterprise logo

    Get Puppet Enterprise
    First 10 nodes are free!

    Try it now

    Request a demo

  • Community

    Puppet Forge

    Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

    Visit Puppet Forge >>

    Open Source Projects

    Open Source Puppet
    Perfect for individuals and small infrastructure

    Bolt
    Automate tasks in orchestration workflows

    See all open source projects >>

    Contribute to open source projects >>

    Community

    • Community Calendar
    • Community Overview
    • Community Slack
    • Puppet Champions
    • Puppet Test Pilots

    Ecosystem

    • GitHub
    • Integrations
    • Puppet Developer Experience
    • Trusted Contributors Program
  • Services & Training

    Services & Training

    • Professional Services
    • Support
    • Training & Education
  • Resources

    Resources

    • Explore Resources
    • Blog
    • Customer Stories
    • Events & Webinars
    • On-Demand Webinars
    • Papers & Videos
    • Podcast
    • Product Demos
    Whitepaper

    Achieving Zero Trust Security with Puppet Enterprise

    Read Now
  • Why Puppet

    Why Puppet

    • Why Puppet
    • About Puppet
    • Compare Puppet
    • Customer Stories
    • Press

    By Use Case

    • Application Delivery & Operations
    • Continuous Compliance
    • Continuous Configuration Automation
    • Continuous Delivery
    • IT Process Automation & Orchestration
    • Patch Management
    • Windows Infrastructure Automation
  • Try Puppet
  • Products

    Main Navigation - Mega Menu

    • Explore Products

    Main Navigation - Mega Menu

    • Puppet Enterprise
    • Puppet Enterprise Extensions
    • Product Resources
    • Get Started

    Main Navigation - Mega Menu

    • Overview
    • Pricing
    • Product Demo
    • Free Trial

    Main Navigation - Mega Menu

    • Compliance Enforcement Modules
    • Content & Modules
    • Puppet Comply

    Main Navigation - Mega Menu

    • Documentation
    • Integrations
    • Knowledge Base
    • Support

    Main Navigation - Mega Menu

    • Free Trial
    • Request A Demo
    • Explore Products
  • Community

    Main Navigation - Mega Menu

    • Explore Community

    Main Navigation - Mega Menu

    • Puppet Forge
    • Open Source Projects
    • Community
    • Ecosystem

    Main Navigation - Mega Menu

    • Puppet Forge

    Main Navigation - Mega Menu

    • Bolt
    • Contribute to Open Source Projects
    • Open Source Puppet
    • See All Open Source Projects

    Main Navigation - Mega Menu

    • Community Calendar
    • Community Overview
    • Community Slack
    • Puppet Champions
    • Puppet Test Pilots

    Main Navigation - Mega Menu

    • Github
    • Integrations
    • Puppet Developer Experience
    • Trusted Contributors Program
    • Explore Community
  • Why Puppet

    Main Navigation - Mega Menu

    • Explore Why

    Main Navigation - Mega Menu

    • Why Puppet
    • By Use Case

    Main Navigation - Mega Menu

    • Compare Puppet
    • Press
    • Why Puppet
    • About Puppet
    • Customer Stories

    Main Navigation - Mega Menu

    • Application Delivery & Operations
    • Continuous Compliance
    • Continuous Configuration Automation
    • Government
    • IT Process Automation & Orchestration
    • Patch Management
    • Windows Infrastructure Automation
    • Explore Why
  • Services & Training

    Main Navigation - Mega Menu

    • Professional Services
    • Support
    • Training & Education
  • Resources

    Main Navigation - Mega Menu

    • Blog
    • Customer Stories
    • Events & Webinars
    • On-Demand Webinars
    • Papers & Videos
    • Podcast
    • Product Demos
    Whitepaper

    Achieving Zero Trust Security with Puppet Enterprise

    Read Now
  • Try Puppet
  • Blog
  • Company
  • Contact

SECURITY MAIN

Security: Puppet's Vulnerability Submission Process

 

Looking for Historical CVE Information? 
Click the CVE List button to view our new CVE Listing page. 

CVE LIST 
 

 

Security Policy

Puppet supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Puppet products, and Puppet distributed packages or infrastructure.

Out-of-Scope:

  • Software version or banner disclosures
  • Directory traversal on yum, apt, or downloads.puppet.com where traversal is explicitly desired
  • Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
  • Brute force attempts (for example, log-in and forgot password pages don’t have lockouts)
  • Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)
  • Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn’t welcome, though specific issues with those configurations are.

To report a vulnerability contact the Puppet security team at security@perforce.com.

Contact the Puppet security team via encrypted communication using our PGP Public key:

Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

 

The key is available in ASCII encoded format. It can also be retrieved and verified from the MIT Key Server.

We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.

Thank you for supporting Puppet’s coordinated disclosure process!

Puppet Security

Footer menu

  • Products
    • Puppet Enterprise
      • Overview
      • Free Trial
      • Pricing
      • Product Demo
    • Puppet Enterprise Extensions
      • Puppet Comply
      • Compliance Enforcement Modules
      • Continuous Delivery for Puppet Enterprise
      • Content & Modules
    • Product Resources
      • Documentation
      • Integrations
      • Knowledge Base
      • Support
    • Get Started
      • Request A Demo
      • Try it now
  • Community
    • Puppet Forge
      • Puppet Forge
    • Open Source Projects
      • Open Source Puppet
      • Bolt
      • Contribute to Open Source Projects
      • See All Open Source Projects
    • Community
      • Community Calendar
      • Community Overview
      • Community Slack
      • Puppet Champions
      • Puppet Test Pilots
    • Ecosystem
      • GitHub
      • Integrations
      • Puppet Developer Experience
      • Trusted Contributors Program
  • Why Puppet
    • Why Puppet
      • About Puppet
      • Compare Puppet
      • Customer Stories
      • Press
      • Why Puppet
    • By Use Case
      • Application Delivery & Operations
      • Continuous Compliance
      • Continuous Configuration Automation
      • Government
      • IT Process Automation & Orchestration
      • Patch Management
      • Windows Infrastructure Automation
  • Services & Training
    • Professional Services
    • Support
    • Training & Education
  • Resources
    • Blog
    • Customer Stories
    • Events & Webinars
    • On-Demand Webinars
    • Papers & Videos
    • Podcast
    • Product Demos
Home

Puppet by Perforce © Perforce Software, Inc.
Terms & Conditions | Privacy Policy | Sitemap

Social Menu

Send Feedback