KrakenD takes cybersecurity seriously.

We craft our software without taking shortcuts, making it solid and reliable and free of practices that might introduce future security problems.

This document describes our security policy and how you can help us make a better software if you find problems.

KrakenD to become a CVE Numbering Authority (CNA)

KrakenD is in the process of becoming a CVE Numbering Authority (CNA) worldwide for software distribution and open-source projects.

We are partnering with the CVE Program to assign CVE IDs and publish CVE Records publicly for vulnerabilities within any KrakenD software or the Lura Project (© the Linux Foundation), so we:

How do we apply fixes

When you report a new vulnerability, KrakenD investigates the issue and tries to reproduce it. Sometimes there are vulnerabilities in external open-source libraries we use. These vulnerabilties do not necessarily transfer to KrakenD as most of the times we include a limited number of their functionality, and this has to be analyzed case by case. We don’t have a policy of updating to latest versions of these libraries if there is no reason for it.

Once the vulnerability is confirmed, KrakenD creates a new CVE ID that is not disclosed publicly until there is a fix for it.

We work on the fix that is applied to the latest version, which makes a new release of the software. We don’t patch prior versions, although some KrakenD Enterprise customers could have justified exceptions to this rule.

Once the sofware is corrected, we publish the new release and announce it through several channels: Github release, Newlsetter (see at the bottom of this page), and Twitter.

How to report a vulnerability

If you are an existing KrakenD customer or partner, please submit a support ticket or contact KrakenD through any Enterprise channels explaining your findings.

If you are not a customer, please email [email protected] with your discovery.

As soon as we read and understand your finding we will provide an answer with next steps and possible timelines.

Credits and rewards

We want to thank you in advance for the time you have spent to follow this issue, as it helps all users. We develop our software in the open with the help of a global community of developers and contributors with whom we share a common understanding and trust in the free exchange of knowledge.

KrakenD’s policy is to credit and reward all researchers provided they follow responsible disclosure practices:

Current rewards could include (but are not limited to):

KrakenD DOES NOT provide cash awards for discovered vulnerabilities at this time.

Thank you

Stay up to date with KrakenD releases and important updates

We use cookies to understand how you use our site and to improve your overall experience. By continuing to use our site, you accept our Privacy Policy. More information