Puppet Labs Security


Puppet Labs takes the security of its products very seriously. We respond to security issues and concerns promptly and when necessary release new versions of the product to address vulnerabilities or security issues in our products.

Security Policy

Puppet Labs supports responsible disclosure of security vulnerabilities.

If you wish to contact the Puppet Labs Security Team via encrypted communication, we encourage you to use our GPG Public Key:

Puppet Labs Security Team <security@puppetlabs.com>
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format here. It can also be retrieved and verified from the MIT Key Server.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interests of responsible disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We believe in crediting security researchers based on the value of the contributions provided. Our security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly and the top individuals are publicly credited on our website. Additional credit will be awarded to those that provide code fixes or additional information about how to fix the disclosure.

Disclosures in any of Puppet Labs' web based properties are excluded from our responsible disclosure program.

Security Disclosures

Security Reporting Process

If you have identified an issue then please send an email to the Security mailbox with the details. If you wish to contact us via phone to report a security issue please call 1-877-575-9775.

Subscribing to Security Announcements

All Puppet Labs security announcements are sent to the puppet-announce mailing list. If you wish to be informed as security updates are released, please subscribe to this list.