Security Disclosure Policy

Security is everybody's business. We pride ourselves on making Octopus Deploy a secure product, but we are aware that no software is ever bug free. As such, there will occasionally be security issues. This policy outlines how we approach security vulnerabilities.

Guiding principles

  • We prioritise our customer's security interests over our own business interests.
  • All customers deserve to know if even the most minor of their personal data is leaked.
  • No-one benefits when security vulnerabilities are kept hidden.
  • Security at Octopus isn't a silo, it's everyone's responsibility.

Responsible disclosure

In general we follow the practice of responsible disclosure:

  • We will respond to security incidents as a priority.
  • We will fix the issue as soon as practicable, keeping in mind that not all risks are created equal.
  • We will always transparently let customers know about any incident that affects them. Usually this will be after fixing it, unless the fix is likely to take more than 24 hours and the risk is so high that customers would be better off disabling or uninstalling Octopus than wait for a fix.
  • We promise not to take legal action against anyone who acts in good faith and complies with our responsible disclosure guidelines.

If you have a concern regarding security with Octopus Deploy, or would like to report a security vulnerability, please send an email to security@octopus.com.

For security vulnerabilities, please include as much information as possible, with full details about how to reproduce and validate the vulnerability, preferably with a proof of concept. If you wish to encrypt your report, please use our PGP key. Please give us a reasonable amount of time to correct the issue, before making it public. We currently do not have a monetary rewards program for unsolicited security research, nor do we have a bug bounty program in place.

We will respond to your report within 1 business day.