Graylog Security Policy
Graylog is addressing vulnerabilities in the product for the current and the previous releases (a release is anything that increases either the major or the minor version part, in a semver understanding) of the last twelve months.
For the current release (3.1) this means:
Reporting a Vulnerability
We are grateful for anyone reporting a vulnerability, helping us to make Graylog better and more secure. Additionally, we encourage everyone to disclose bugs in a responsible way, allowing us and other Graylog users to react accordingly in a timely manner.
- If you want to report a critical bug that could: allow someone to steal credentials, execute code or escalate privileges, please send a bug report to email@example.com before publishing it. This allows us to fix it, create a new version and allows other Graylog users to update before the information is out in the wild. After receiving the bug report, we will immediately get back to you to coordinate the required action.
- If you want to report a non-critical bug, write to firstname.lastname@example.org or open an issue on github.
- This is an open source project. If you discover a bug and fix it, you are very welcome to submit a PR. You will be rewarded with the everlasting gratitude of the Graylog team and the community!
Thanks and happy logging!