Skip to content
GitHub

Security

Security Advisories

We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe by sending an email to [email protected] or on the online viewer.

CVE

Reported vulnerabilities can be found on cve.mitre.org.

CVEs are only created for vulnerabilities affecting Generally Available (GA) versions of Traefik. Vulnerabilities discovered in non-GA versions (release candidates, betas, early access, or development branches) will be fixed without creating a CVE.

Report a Vulnerability

We want to keep Traefik safe for everyone. If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, by creating a security advisory.

Code of Conduct for Vulnerability Submissions

We are committed to handling every legitimate report responsibly, and we expect submitters to engage with our security team in a respectful and collaborative manner.

The following behaviors are not acceptable and will not be tolerated:

  • Threats to publicly disclose the vulnerability if it is not fixed within a timeframe you set unilaterally.
  • Ultimatums or pressure tactics intended to force a faster response than our normal triage and remediation process allows.
  • Demands for payment, bug bounties, or any form of compensation in exchange for not disclosing the issue (Traefik does not operate a paid bug bounty program).
  • Aggressive, abusive, or disrespectful communication with our security team.

Submitters who engage in any of the above may face the following consequences:

  • The submitter will not be credited in the security advisory or any subsequent communication.
  • The submitter's GitHub profile may be reported to GitHub for violation of platform terms of service.
  • We may decline to engage further on the report, while still addressing the underlying issue if it is legitimate.

We take security seriously and act on legitimate reports as quickly as our resources allow. Patience and constructive dialogue help us protect users effectively.

Submission Quality Guidelines

We have been receiving an increasing number of low-quality vulnerability reports that are not actual security issues. Many of these reports originate from AI/LLM tools and are submitted without any human validation or testing. This wastes the time of our security team and delays the handling of legitimate vulnerabilities.

Before submitting a security advisory, you must:

  • Carefully test and validate the vulnerability yourself before submitting. You must be able to demonstrate a working proof of concept with clear reproduction steps.
  • Understand the impact of the vulnerability and explain how it can be exploited in a realistic scenario.
  • Verify that the issue is not a false positive. Ensure the behavior you are reporting is actually a security concern and not expected behavior.

Policy on AI-Generated Reports

Security reports that are directly generated by AI/LLM tools without proper human validation will be closed immediately.

Indicators of unvalidated AI-generated reports include (but are not limited to):

  • No working proof of concept or reproduction steps.
  • Generic or theoretical vulnerability descriptions with no evidence of actual testing.
  • Misunderstanding of Traefik's architecture or threat model.
  • Hallucinated code paths, configuration options, or behaviors that do not exist.

Contributors who repeatedly submit low-quality or unvalidated reports may have their accounts blocked.

We appreciate the work of security researchers who take the time to rigorously validate their findings. Quality over quantity helps keep Traefik safe for everyone.