In February 2021, we announced our dedicated security advisories page. Following that, we are now a CVE Numbering Authority (CNA). This authorizes Octopus Deploy to assign CVE IDs to vulnerabilities within the scope of Octopus Deploy.
What is CVE?
CVE is an international, community-based effort that relies on the community to discover vulnerabilities.
- The vulnerabilities are discovered then assigned and published to the CVE list.
- The CVE Records published in the catalog enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
Why did we become a CNA?
As we mature our security practices, we want to simplify our CVE process. This ensures that when we release information about vulnerabilities, we're certain the CVE ID and the accompanying security advisory are released at the same time.
This is important to us, because it makes sure our customers have all the information they need to confirm their Octopus installations are secure.
If you're interested in learning more about Trust and Security at Octopus Deploy, see our Trust and Security roadmap.
If you need to report a vulnerability, please contact us at firstname.lastname@example.org.