Security Information

This page hosts our security policies and information with regards to reporting security flaws. Learn more about how Cloudron offers the best security for self-hosting and how to harden your server as an owner.

Security Issue Reporting

If you have discovered a security issue with Cloudron, please read our responsible disclosure guidelines below and contact us at security@cloudron.io.
Your report should include:

  • Product version
  • A vulnerability description
  • Reproduction steps

A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release.

Responsible Disclosure Guidelines

The Cloudron community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:

  • Only test for vulnerabilities on your own install of Cloudron
  • Confirm the vulnerability applies to a supported product version
  • Share vulnerabilities in detail only with the security team
  • Allow reasonable time for a response from the security team
  • Do not publish information related to the vulnerability until Cloudron has made an announcement to the community

Supported Product Versions

Cloudron follows a rolling release schedule, thus we do not currently have LTS versions. The latest version published for updates is the currently supported version. We will not support any security issue backports to non current versions, but will require the user to update to latest, where fixes will be applied.