> ## Documentation Index
> Fetch the complete documentation index at: https://trigger.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & vulnerability reporting

> How to report security issues in Trigger.dev, our response targets, and how self-hosters receive security notices.

We take the security of Trigger.dev seriously, for both Cloud and self-hosted deployments. This page covers how to report a vulnerability, what to expect, and how to stay informed about security releases.

<Warning>
  Do not report security vulnerabilities through public GitHub issues, pull requests, or Discord. Use one of the private channels below.
</Warning>

## Reporting a vulnerability

<Steps>
  <Step title="Choose a private channel">
    * **GitHub (preferred):** open a private report from the repository's **Security** tab using **"Report a vulnerability"** ([direct link](https://github.com/triggerdotdev/trigger.dev/security/advisories/new)).
    * **Email:** `security-advisories@trigger.dev`
  </Step>

  <Step title="Include the details">
    A description and impact, steps to reproduce (a proof of concept helps), affected versions/components, and any suggested fix.
  </Step>

  <Step title="We track it privately">
    Every report is tracked in a private GitHub Security Advisory. If you email us, we open the advisory on your behalf.
  </Step>
</Steps>

## What to expect

| Stage                                     | Target                 |
| ----------------------------------------- | ---------------------- |
| Acknowledgement                           | within 3 business days |
| Validation + CVSS 3.1 severity assessment | within 1 week          |

We score issues with CVSS 3.1 and prioritise remediation by severity:

| Severity (CVSS 3.1) | Target time to resolve |
| ------------------- | ---------------------- |
| Critical (9.0–10.0) | 7 days                 |
| High (7.0–8.9)      | 30 days                |
| Medium (4.0–6.9)    | 90 days                |
| Low (0.1–3.9)       | As needed              |

<Note>
  These are best-effort targets measured from when we validate and accept a report, not guarantees. We follow coordinated disclosure with a default 90-day window, and publish a GitHub Security Advisory (requesting a CVE where applicable) once a fix ships.
</Note>

## Supported versions

We patch the **latest released version line** only. Run the latest version-tagged release to receive security fixes — see [Self-hosting overview](/self-hosting/overview).
