Reporting a vulnerability
Choose a private channel
- GitHub (preferred): open a private report from the repository’s Security tab using “Report a vulnerability” (direct link).
- Email:
security-advisories@trigger.dev
Include the details
A description and impact, steps to reproduce (a proof of concept helps), affected versions/components, and any suggested fix.
What to expect
| Stage | Target |
|---|---|
| Acknowledgement | within 3 business days |
| Validation + CVSS 3.1 severity assessment | within 1 week |
| Severity (CVSS 3.1) | Target time to resolve |
|---|---|
| Critical (9.0–10.0) | 7 days |
| High (7.0–8.9) | 30 days |
| Medium (4.0–6.9) | 90 days |
| Low (0.1–3.9) | As needed |
These are best-effort targets measured from when we validate and accept a report, not guarantees. We follow coordinated disclosure with a default 90-day window, and publish a GitHub Security Advisory (requesting a CVE where applicable) once a fix ships.

