Security is at the core of everything we build. We’re committed to safeguarding your data and infrastructure by investing in the necessary tools, training, and support. Learn more about how we bake security into our solutions and platform.
HashiCorp publishes security updates, which address security vulnerabilities in HashiCorp products, in the Security category of HashiCorp Discuss. This is directly accessible at https://discuss.hashicorp.com/c/security/.
Please follow the documented steps to subscribe to email notifications or RSS for all or product-specific HashiCorp security updates.
We deeply appreciate any effort to discover and coordinate the disclosure of security vulnerabilities. HashiCorp does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports, but individuals may be acknowledged in product security bulletins as appropriate.
If you would like to report a vulnerability in one of our products or services, or have security concerns regarding HashiCorp software or systems, please email email@example.com.
To support a timely and effective response to your report, please include any of the following:
Steps to reproduce or proof-of-concept
Any relevant tools, including versions used
HashiCorp takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.
Security issues related to HashiCorp-owned domains/properties that we have already assessed for risk and will address in future include:
HTTPS configuration, including supported TLS versions & ciphersuites
HTTP headers, for purposes including Strict Transport Security, Content Security Policy, and clickjacking/XSS protection
DNS records including those related to email (SPF, DKIM, DMARC) and certificate issuance (CAA).