Vulnerability Disclosure Policy
Scope
Reports for security issues in Docker Hub, Docker Scout, Docker Build Cloud, TestContainers, Docker Desktop, Docker extensions published by Docker in the Docker Desktop Marketplace and open-source projects maintained by Docker are also accepted and highly appreciated. For security issues in any extensions not owned by Docker, please reach out to the respective vendor instead.
Domains:
- docker.com
- www.docker.com
- hub.docker.com
- build.docker.com
- *.docker.com
- *.docker.io
Scope Exclusions
Security testing and reports for the following are considered out of scope:
- Vulnerabilities in 3rd-party websites and dependencies, and in services or platforms used to maintain and build Docker OSS (e.g. CI/CD systems, package managers)
- Social engineering
- Denial of service
- Brute force attacks
- Information disclosure without demonstrated impact
- Vulnerabilities confined to outdated browser versions
- Hardening tips and non-default unsafe configurations
Guidelines
Under this policy,
- Notify Docker as soon as possible after you discover a security issue that falls within the program scope.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data that is not your own.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistence, or use the exploit to “pivot” to other systems.
- Provide Docker a reasonable amount of time to resolve the issue before you disclose it publicly.
- You do not intentionally compromise the privacy of Docker Customers, Docker personnel or any third parties.
- You do not intentionally compromise the intellectual property or other commercial or financial interest of Docker personnel or entities, or any third parties.
- When performing security testing, please only target your own accounts and do not perform any activities which reveal, compromise or corrupt other users’ data.
Vulnerability Reporting
If you have discovered a vulnerability within the scope listed above, please keep your report concise, including:
- Description, impact and steps to reproduce the issue
- Bug location (domain, URL, application, OSS repository etc.)
- Affected versions and platforms (whenever applicable)
- A benign, non-destructive Proof-of-Concept demonstrating the vulnerability’s impact without causing disruption or reputational damage
Note that we are only able to answer technical vulnerability reports. Non-security bugs and compliance-related queries should be instead directed to [email protected].
What to Expect from Docker
Docker will provide an initial response to reports within two business days.
The Docker Security team can assign CVE numbers for issues in Docker software. Docker reserves the right to determine if a CVE is necessary.
For issues that are not publicly known, we will abide by any embargoes as necessary (as part of Docker’s responsible disclosure policy embargoes are set for 90 days). We reserve the right to release fixes before an embargo has expired if other parties disclose the issue before the agreed upon embargo date or if there is evidence of abuse.
Docker offers a private bug bounty program, which will provide reporters with swag for critical and high risk vulnerabilities. In order to be eligible, reporters must abide by this policy and guidelines set forth. Docker will also offer public credit through mentions on Security Release pages, GitHub XXXX, and the Docker Hall of Fame page.
In cases of multiple reports, credit will be issued to the first researcher who reports the vulnerability.
Safe harbor
To encourage research and the responsible disclosure of security vulnerabilities, Docker will not pursue civil or criminal action, or send enforcement for accidental faith violations of Docker’s Vulnerability Disclosure Policy. Docker reserves all of its legal rights in the event of any noncompliance.
You must not perform any security testing on Docker products and services that is in violation of the law, disrupts the availability of production systems, or corrupts or compromises any data that is not your own.
Third Party Safe Harbor
Third party dependencies are in-scope for this program. If you identify a security vulnerability in a third party dependency, please send your vulnerability disclosure to the owner of the vulnerable package first and ensure that the issue is addressed upstream before letting us know of the issue details.
If a third party dependency vulnerability is reported to Docker, we will direct you to share with the third party owner. Please refer to the third party’s vulnerability disclosure policy and safe harbor commitments to ensure you are compliance.
Frequently asked questions
Q: Does Docker have a paid bug bounty program?
A: At this time, we do not have a paid bug bounty program. However, we do send swag and you will be publicly credited if you are the first one to report a verifiable security vulnerability.
Q: When can I publicly share information about a vulnerability I have discovered?
A: Please keep information about any vulnerabilities you have discovered confidential until we have had up to 90 days to resolve the issue, in accordance with industry standard practices.