This security policy applies to :

• Crowdsec agent
• Crowdsec Local API
• Crowdsec bouncers developed and maintained by the Crowdsec team [1]

Reports regarding developements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nonetheless.

[1] Projects developed and maintained by the Crowdsec team are under the crowdsecurity github organization. Bouncers developed by community members that are not part of the Crowdsec organization are explictely excluded.

We are extremely grateful to security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization.

You can email the private [email protected] list with the security details and the details expected for all Crowdsec bug reports.

You may encrypt your email to this list using the GPG key of the Security team. Encryption using GPG is NOT required to make a disclosure.

• You think you discovered a potential security vulnerability in Crowdsec
• You are unsure how a vulnerability affects Crowdsec
• You think you discovered a vulnerability in another project that Crowdsec depends on

For projects with their own vulnerability reporting and disclosure process, please report it directly there.