Skip to main content


Security is at the core of everything we build. We’re committed to safeguarding your data and infrastructure by investing in the necessary tools, training, and support. Learn more about how we bake security into our solutions and platform.

Vulnerability management

Security updates & vulnerability alerts

HashiCorp publishes security updates, which address security vulnerabilities in HashiCorp products, in the Security category of HashiCorp Discuss. This is directly accessible at

Please follow the documented steps to subscribe to email notifications or RSS for all or product-specific HashiCorp security updates.

Vulnerability reporting

We deeply appreciate any effort to discover and coordinate the disclosure of security vulnerabilities. HashiCorp does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports, but individuals may be acknowledged in product security bulletins as appropriate.

If you would like to report a vulnerability in one of our products or services, or have security concerns regarding HashiCorp software or systems, please email

To support a timely and effective response to your report, please include any of the following:

  • Steps to reproduce or proof-of-concept

  • Any relevant tools, including versions used

  • Tool output

HashiCorp takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.

Security issues related to HashiCorp-owned domains/properties that we have already assessed for risk and may address in future, and do not need to be reported to us, include:

  • HTTPS configuration, including supported TLS versions & ciphersuites

  • HTTP headers, for purposes including Strict Transport Security, Content Security Policy, and clickjacking/XSS protection

  • DNS records including those related to email (SPF, DKIM, DMARC) and certificate issuance (CAA).

  • Web applications that appear to allow users to set excessively long passwords.