Reporting Security Issues and Vulnerabilities
Security issues and vulnerabilities can be reported via the Camunda JIRA issue tracker.
Please follow these steps:
1. Create an account on the Camunda JIRA issue tracker
2. Navigate to the issue creation screen
3. Create a JIRA ticket in the Security (SEC) project of type Security Report. The issue will only be accessible by Camunda staff and you, the reporter.
4. Please provide as many details as are known to you.
Once reported, Camunda staff will get back to you and treat your report according to our Security Issue Process.
Vulnerabilities discovered by our enterprise customers are treated as bugs and the agreed SLAs apply.
Security Issue Process
Qualification
Once reported, Camunda proceeds to assess a vulnerability. This includes root cause analysis, as well as understanding the risk and impact of the problem. This assessment is made in close collaboration with the reporter.
Remediation
Camunda creates a remediation plan to resolve security issues that are identified. Fixes are made available in the form of patch releases (enterprise customers only) and alpha/minor releases (community platform users).
Announcement
Once a fix release or a practicable workaround is available, Camunda informs its users on the Camunda 7 Security Notices page or Camunda 8 Security Notices page.