Cloud Foundry Foundation Security Notices

The Cloud Foundry Foundation (CFF) Security Team provides a single point of contact for the reporting of security vulnerabilities in open source Cloud Foundry codebases and coordinates the process of investigating any reports. Please see this page for more information about what might qualify as a vulnerability.

Reporting a Vulnerability

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum. Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in open source Cloud Foundry codebases and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at this address.

The e-mail address to use to contact the CFF Security Team is

The fingerprint is: 3FC8 9AF3 940B E270 CF25  E122 9965 0006 EF9D C642.

It can be obtained from a public key server such as

Disclosure Process

Due to the nature of the Cloud Foundry platform, vulnerabilities handled by our project teams have two distinct sources: vulnerabilities within upstream dependencies and vulnerabilities found within the Cloud Foundry source code itself.

Vulnerabilities in dependencies are typically publicly disclosed by the upstream communities, and the Cloud Foundry project teams strive to integrate and release fixes as quickly as possible. Project teams include information about these vulnerabilities within the release notes of the relevant project release.

Vulnerabilities in Cloud Foundry software that are reported to the Cloud Foundry security team (or identified by a project team member) are treated as confidential information until disclosed. The information is shared with the relevant Project Lead and developers. Early information about important vulnerabilities is shared with a group of appropriately qualified security contacts from each certified downstream offering based on Cloud Foundry, provided that they continue to maintain the confidentiality of information provided via this communication channel. Once a release is made that includes the appropriate fix(es), the vulnerability and suggested remediation steps are publicly disclosed.