ContextQMD
Back to Traefik

Traefik Security Documentation

docs/content/contributing/submitting-security-issues.md

3.7.0-ea.32.3 KB
Original Source

Security

Security Advisories

We strongly advise you to join our mailing list to be aware of the latest announcements from our security team. You can subscribe by sending an email to [email protected] or on the online viewer.

CVE

Reported vulnerabilities can be found on cve.mitre.org.

Report a Vulnerability

We want to keep Traefik safe for everyone. If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, by creating a security advisory.

Submission Quality Guidelines

We have been receiving an increasing number of low-quality vulnerability reports that are not actual security issues. Many of these reports originate from AI/LLM tools and are submitted without any human validation or testing. This wastes the time of our security team and delays the handling of legitimate vulnerabilities.

Before submitting a security advisory, you must:

  • Carefully test and validate the vulnerability yourself before submitting. You must be able to demonstrate a working proof of concept with clear reproduction steps.
  • Understand the impact of the vulnerability and explain how it can be exploited in a realistic scenario.
  • Verify that the issue is not a false positive. Ensure the behavior you are reporting is actually a security concern and not expected behavior.

Policy on AI-Generated Reports

Security reports that are directly generated by AI/LLM tools without proper human validation will be closed immediately.

Indicators of unvalidated AI-generated reports include (but are not limited to):

  • No working proof of concept or reproduction steps.
  • Generic or theoretical vulnerability descriptions with no evidence of actual testing.
  • Misunderstanding of Traefik's architecture or threat model.
  • Hallucinated code paths, configuration options, or behaviors that do not exist.

Contributors who repeatedly submit low-quality or unvalidated reports may have their accounts blocked.

We appreciate the work of security researchers who take the time to rigorously validate their findings. Quality over quantity helps keep Traefik safe for everyone.