We take security seriously and are committed to ensuring the safety of our users.

If you discover a security issue in the Serverless Framework, please report it privately via our security advisories page. Do not report security vulnerabilities through public channels such as GitHub issues.

• Version 4: All security issues will be addressed promptly in Version 4.
• Version 3: Critical security issues will continue to be addressed in Version 3 through the end of 2024.
• Version 2 (and earlier): These versions are no longer supported.

Upon receiving your report, we will triage the issue within 3 business days and work to resolve it as quickly as possible. We may follow up for more details.

Your efforts to responsibly disclose vulnerabilities are greatly appreciated. At this time, we do not offer a bug bounty program.

Thank you for helping us keep the Serverless Framework secure!