The Cloud Foundry Foundation (CFF) Security Team provides a single point of contact for the reporting of security vulnerabilities in open source Cloud Foundry codebases and coordinates the process of investigating any reports. Please see this page for more information about what might qualify as a vulnerability.

Reporting a Vulnerability

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.

Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in open source Cloud Foundry codebases and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at this address.

The e-mail address to use to contact the CFF Security Team is [email protected].

The fingerprint is: A576 4CD4 EE9A 002D 72F5 2A32 46B6 FF8F 8CF0 880C

It can be obtained from a public key server such as

NOTE: Emails to [email protected] may be responded to by CFF staff, CFF volunteers or one (or more) of the vulnerability management teams from the organizations participating in the development of Cloud Foundry projects. Only those individuals or teams that demonstrate professionalism in handling inbound vulnerability reports are included in these efforts.