The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we want to guarantee that the infrastructure part of the project is as secure as possible, to keep the supply chain safe to build and deliver Jenkins components.
Please report security vulnerabilities in the Jenkins issue tracker under the SECURITY project. This project is configured in such a way that only the reporter and the security team can see the details. By restricting access to this potentially sensitive information, we can work on a fix and deliver it before the method of attack becomes well-known.
If you are unable to report using our issue tracker, you can also send your report to the private Jenkins security team mailing list: jenkinsci-cert@googlegroups.com
The Jenkins security team will then file an issue on your behalf, and will work with the maintainers of the affected component(s) to get the issue resolved.
For further details about our scope, issue handling process, or disclosure process, see Reporting Security Vulnerabilities on jenkins.io.