upstream/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2026-04-09 02:56:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
traefik/docs/content/contributing/submitting-security-issues.md
Emile Vauge 6d6374d499
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Details
Build and Publish Documentation / Doc Process (push) Has been cancelled
Details
Build experimental image on branch / build-webui (push) Has been cancelled
Details
Build experimental image on branch / Build experimental image on branch (push) Has been cancelled
Details
Add vulnerability submission quality guidelines
2026-03-13 06:50:04 -03:00

2.5 KiB
Raw Permalink Blame History

title description
Traefik Security Documentation Security is a key part of Traefik Proxy. Read the technical documentation to learn about security advisories, CVE, and how to report a vulnerability.

Security

Security Advisories

We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe by sending an email to security+subscribe@traefik.io or on the online viewer.

CVE

Reported vulnerabilities can be found on cve.mitre.org.

Report a Vulnerability

We want to keep Traefik safe for everyone. If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, by creating a security advisory.

Submission Quality Guidelines

We have been receiving an increasing number of low-quality vulnerability reports that are not actual security issues. Many of these reports originate from AI/LLM tools and are submitted without any human validation or testing. This wastes the time of our security team and delays the handling of legitimate vulnerabilities.

Before submitting a security advisory, you must:

  • Carefully test and validate the vulnerability yourself before submitting. You must be able to demonstrate a working proof of concept with clear reproduction steps.
  • Understand the impact of the vulnerability and explain how it can be exploited in a realistic scenario.
  • Verify that the issue is not a false positive. Ensure the behavior you are reporting is actually a security concern and not expected behavior.

Policy on AI-Generated Reports

Security reports that are directly generated by AI/LLM tools without proper human validation will be closed immediately.

Indicators of unvalidated AI-generated reports include (but are not limited to):

  • No working proof of concept or reproduction steps.
  • Generic or theoretical vulnerability descriptions with no evidence of actual testing.
  • Misunderstanding of Traefik's architecture or threat model.
  • Hallucinated code paths, configuration options, or behaviors that do not exist.

Contributors who repeatedly submit low-quality or unvalidated reports may have their accounts blocked.

We appreciate the work of security researchers who take the time to rigorously validate their findings. Quality over quantity helps keep Traefik safe for everyone.