Puppet Labs Security

Introduction

Puppet Labs takes the security of its products very seriously. We respond to security issues and concerns promptly and when necessary release new versions of the product to address vulnerabilities or security issues in our products.

Security Policy

Puppet Labs supports coordinated disclosure of security vulnerabilities.

Please note that we have separate processes for reporting security issues with our product line, and for reporting security issues with our infrastructure.

Infrastructure Security

This process should be followed for reporting issues with Puppet Labs infrastructure such as:

  • puppetlabs.com
  • puppetconf.com
  • docs.puppetlabs.com
  • tickets.puppetlabs.com
  • ask.puppetlabs.com
  • yum/apt.puppetlabs.com
  • and any of our other web properties other than the Forge

While we do believe in crediting security researchers who make valuable contributions to our product security, note that we do not typically provide such credit for minor infrastructure security issues on our web properties.

Note that we do not consider the following class of issues to be report-worthy when they relate to our infrastructure:

  • Software version/Banner disclosure
  • Directory traversal on yum/apt/downloads.puppetlabs.com where traversal is explicitly desired
  • Self-XSS/CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure/Discovery of known public files or directories(e.g., robots.txt, simple DNS enumeration)
  • Brute Force attempts (e.g., Login Page/Forgot Password without lockouts)
  • Account enumeration (e.g., enumerating Login/Reset fields for valid accounts without lockouts)

To contact the Puppet Labs Infrastructure team, please use the email address:
security-infrastructure@puppetlabs.com

Product Security

This process should be followed for reporting issues with any Puppet Labs Products such as Puppet Enterprise, Puppet and MCollective, as well as the Puppet Forge. This process should also be followed for any security issues related to packages we distribute, however please follow the Infrastructure Security process for the infrastructure hosting those packages (yum/apt.puppetlabs.com, etc.)

If you wish to contact the Puppet Labs Security Team via encrypted communication, we encourage you to use our GPG Public Key:

Puppet Labs Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format here. It can also be retrieved and verified from the MIT Key Server.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interest of coordinated disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We believe in crediting security researchers based on the value of the contributions provided. Our security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly and the top individuals are publicly credited on our website. Additional credit will be awarded to those that provide code fixes or additional information about how to fix the disclosure.

Security Disclosures

Security Reporting Process

For web site or infrastructure issues, please send an email to the Infrastructure Security mailbox.

If you have identified an issue with one of our products, then please send an email to the Security mailbox with the details.

Process details and PGP key information can be found on this page. If you wish to contact us via phone to report a security issue please call 1-877-575-9775.

Subscribing to Security Announcements

All Puppet Labs security announcements are sent to the puppet-announce mailing list. If you wish to be informed as security updates are released, please subscribe to this list.