The Cloud Foundry Foundation (CFF) Security Team provides a single point of contact for the reporting of security vulnerabilities in open source Cloud Foundry codebases and coordinates the process of investigating any reports. Please see this page for more information about what might qualify as a vulnerability.

Reporting a Vulnerability

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.

Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in open source Cloud Foundry codebases and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at this address.

The e-mail address to use to contact the CFF Security Team is

The fingerprint is: 3FC8 9AF3 940B E270 CF25  E122 9965 0006 EF9D C642.

It can be obtained from a public key server such as

NOTE: Emails to may be responded to by CFF staff, CFF volunteers or one (or more) of the vulnerability management teams from the organizations participating in the development of Cloud Foundry projects. Only those individuals or teams that demonstrate professionalism in handling inbound vulnerability reports are included in these efforts.