<!DOCTYPE html> <html lang='en'> <head> <title> About the Jenkins Security Team </title> <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' name='description'> <meta charset='utf-8'> <meta content='width=device-width, initial-scale=1' name='viewport'> <meta content='ie=edge' http-equiv='x-ua-compatible'> <link href='https://www.jenkins.io/security/team/' rel='canonical'> <!-- Favicons --> <link href='/favicon.ico' rel='shortcut icon' type='image/x-icon'> <link href='/apple-touch-icon.png' rel='apple-touch-icon' sizes='180x180'> <link href='/favicon-32x32.png' rel='icon' sizes='32x32' type='image/png'> <link href='/favicon-16x16.png' rel='icon' sizes='16x16' type='image/png'> <link href='/site.webmanifest' rel='manifest'> <link color='#5bbad5' href='/safari-pinned-tab.svg' rel='mask-icon'> <meta content='#2b5797' name='msapplication-TileColor'> <meta content='#ffffff' name='theme-color'> <meta content='About the Jenkins Security Team' name='apple-mobile-web-app-title'> <!-- Twitter Card data --> <meta content='summary_large_image' name='twitter:card'> <meta content='@JenkinsCI' name='twitter:site'> <meta content='About the Jenkins Security Team' name='twitter:title'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' name='twitter:description'> <meta content='@JenkinsCI' name='twitter:creator'> <!-- Twitter Summary card images must be at least 120x120px --> <meta content='/images/logo-title-opengraph.png' name='twitter:image'> <!-- Open Graph data --> <meta content='About the Jenkins Security Team' property='og:title'> <meta content='article' property='og:type'> <meta content='https://www.jenkins.io/security/team/' property='og:url'> <meta content='Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software' property='og:description'> <meta content='About the Jenkins Security Team' property='og:site_name'> <meta content='/images/logo-title-opengraph.png' property='og:image'> <link href='/assets/bower/bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet'> <link href='/css/jenkins.css' media='screen' rel='stylesheet'> <link href='/css/copy-to-clipboard.css' media='screen' rel='stylesheet'> <link href='/stylesheets/styles.css' media='screen' rel='stylesheet'> <!-- Non-obtrusive CSS styles --> <link href='/css/footer.css' media='screen' rel='stylesheet'> <link href='/css/font-awesome.min.css' media='screen' rel='stylesheet'> <link href='https://cdn.jsdelivr.net/npm/@docsearch/css@3' rel='stylesheet'> </head> <body> <script src='/assets/bower/jquery/jquery.min.js'></script> <script src='/js/copy-to-clipboard.js'></script> <jio-navbar class='fixed-nav' id='ji-toolbar' property='https://www.jenkins.io' showSearchBox theme='auto'></jio-navbar> <script> window.addEventListener('DOMContentLoaded', function () { for (var i = 1 ; i <= 6 ; i ++) { anchors.add('.container .row .col-lg-9 h' + i); } }) </script> <div class='container'> <div class='row body'> <div class='col-lg-3'> <div class='sidebar-nav tour'> <p> <a href="/security/" class="">Jenkins Security Home</a> </p> <strong> For Administrators </strong> <ul> <li> <a href="/security/for-administrators/" class="">Overview</a> </li> <li> <a href="/security/advisories/" class="">Security Advisories</a> </li> <li> <a href="/security/issues/" class="">Security Issues</a> </li> <li> <a href="/security/scheduling/" class="">Advisory Schedule</a> </li> <li> <a href="/security/plugins/" class="">Vulnerabilities in Plugins</a> </li> <li> <a href="/security/fixing/" class="">How We Fix Security Issues</a> </li> </ul> <strong> For Reporters </strong> <ul> <li> <a href="/security/reporting/" class="">Reporting Vulnerabilities</a> </li> <li> <a href="/security/cna/" class="">Jenkins CNA</a> </li> </ul> <strong> For Maintainers </strong> <ul> <li> <a href="/security/for-maintainers/" class="">Overview</a> </li> <li> <a href="/security/plugins/" class="">Vulnerabilities in Plugins</a> </li> </ul> <strong> Jenkins Security Team </strong> <ul> <li> <a href="/security/team/" class="active">About</a> </li> <li> <a href="/security/improvements/" class="">Contributions</a> </li> </ul> </div> </div> <div class='col-lg-9'> <h1> About the Jenkins Security Team </h1> <div class="paragraph"> <p>The Jenkins Security Team is a group of volunteers led by the <a href="/project/board/#security">Jenkins Security Officer</a>. Our goal is to improve the security of Jenkins and to give administrators the tools and information they need to secure their Jenkins controllers and agents.</p> </div> <div class="sect1"> <h2 id="what-we-do"><a class="anchor" href="#what-we-do"></a>What We Do</h2> <div class="sectionbody"> <div class="olist arabic"> <ol class="arabic"> <li> <p>We look for security issues in Jenkins and plugins</p> </li> <li> <p>We process incoming reports of security issues in any component</p> </li> <li> <p>We work with reporters and maintainers to get security issues fixed</p> </li> <li> <p>We develop Jenkins (core) security fixes</p> </li> <li> <p>We review and test security fixes in core and plugins</p> </li> <li> <p>We write and publish security advisories</p> </li> <li> <p>We implement security-related features and improvements (<a href="#contribute">and you can too!</a>)</p> </li> </ol> </div> <div class="paragraph"> <p>Security vulnerabilities in core are typically resolved by members of this team, while vulnerabilities in plugins are generally resolved in collaboration with the plugin maintainer(s).</p> </div> </div> </div> <div class="sect1"> <h2 id="join"><a class="anchor" href="#join"></a>Joining the Team</h2> <div class="sectionbody"> <div class="paragraph"> <p>Members of the security team have access to sensitive information, so membership is limited to people with a history of contributions to the Jenkins project and is subject to approval by the Jenkins Security Officer.</p> </div> <div class="paragraph"> <p>Contact the Jenkins security team via email to the private <code>jenkinsci-cert@googlegroups.com</code> mailing list if you&#8217;re interested.</p> </div> <div class="sect2"> <h3 id="expectations"><a class="anchor" href="#expectations"></a>Expectations</h3> <div class="paragraph"> <p>As a member of the security team you will be expected to regularly contribute, or you may be removed from the team again to limit the exposure of sensitive security-related information. Security team membership is specifically for those working on Jenkins (core) security fixes or on improving Jenkins security beyond specific components. These contributions need to be not otherwise feasible without the additional access to sensitive information granted through the membership. For example, as a plugin maintainer, you are already able to address security issues in plugins you maintain even without being a security team member.</p> </div> <div class="paragraph"> <p>There are many ways to contribute to the security of Jenkins that don&#8217;t require you to be on the security team. Learn more: <a href="#contribute">Other Ways to Contribute</a></p> </div> </div> <div class="sect2"> <h3 id="technical-requirements"><a class="anchor" href="#technical-requirements"></a>Technical Requirements</h3> <div class="paragraph"> <p>In order to join, you&#8217;ll need to have:</p> </div> <div class="olist arabic"> <ol class="arabic"> <li> <p>a <a href="https://accounts.jenkins.io/">Jenkins community account</a> and have logged in to Artifactory and Jira before,</p> </li> <li> <p>a <a href="https://github.com">GitHub</a> account with <a href="https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/">two-factor authentication enabled</a>,</p> </li> <li> <p>a <a href="https://github.com/jenkinsci/infra-cla/">Contributor License Agreement</a> (CLA) in place, and</p> </li> <li> <p>a <a href="https://libera.chat/guides/registration">registered nickname on Libera Chat</a>.</p> </li> </ol> </div> </div> </div> </div> <div class="sect1"> <h2 id="contribute"><a class="anchor" href="#contribute"></a>Other Ways to Contribute</h2> <div class="sectionbody"> <div class="paragraph"> <p>You can contribute to the security of Jenkins and its plugin ecosystem even without being a security team member:</p> </div> <div class="ulist"> <ul> <li> <p>Identify and report security issues, even in plugins you maintain yourself. As a reporter, you can include proposed fixes or ask the maintainer to collaborate with you on a fix. As a maintainer, please inform us about security issues in your own plugins, even if you fix the issue yourself. This lets us properly inform users.</p> </li> <li> <p>Inform us about plugin security updates without a corresponding security advisory. Plugin maintainers may be unaware of our process, so this helps ensure all security updates are properly announced.</p> </li> <li> <p>Document security best practices for Jenkins administrators and Jenkins developers.</p> </li> <li> <p>As a Jenkins developer, develop features and improvements that help admins secure their controllers and agents. <a href="/security/improvements/">Check out these improvements delivered by security team members over the years.</a></p> </li> <li> <p>As a plugin maintainer:</p> <div class="ulist"> <ul> <li> <p>Be responsive when contacted by the security team.</p> </li> <li> <p>Consider the security impact of features and improvements you consider adding.</p> </li> </ul> </div> </li> </ul> </div> </div> </div> </div> </div> </div> <script src='/assets/bower/anchor-js/anchor.min.js'></script> <script src='/assets/bower/@popperjs/core/umd/popper.min.js'></script> <script src='/assets/bower/bootstrap/js/bootstrap.min.js'></script> <script src='https://cdn.jsdelivr.net/npm/lit@3.2.1/polyfill-support.js'></script> <script src='https://cdn.jsdelivr.net/npm/@webcomponents/webcomponentsjs@2.8.0/webcomponents-loader.js'></script> <script data='ionicons' defer='' src='https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.4.0/ionicons/ionicons.esm.js' type='module'></script> <script data='ionicons' defer='' nomodule='' src='https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.4.0/ionicons/ionicons.js'></script> <script defer='' src='https://cdn.jsdelivr.net/npm/@jenkinsci/jenkins-io-components/+esm' type='module'></script> <script defer='' nomodule='' src='https://cdn.jsdelivr.net/npm/@jenkinsci/jenkins-io-components/'></script> <jio-footer githubBranch='master' githubRepo='jenkins-infra/jenkins.io' property='https://www.jenkins.io' reportAProblemTemplate='4-bug.yml' sourcePath='content/security/team.adoc'></jio-footer> <script> $(function(){ var $body = $(document.body); $body.on("keydown", function(){ $body.removeClass("no-outline"); }) const updateTheme = () => { const dark = window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches; document.documentElement.dataset.theme = dark ? "dark" : ""; } updateTheme(); window.matchMedia('(prefers-color-scheme: dark)').addEventListener('change', updateTheme); }) </script> </body> </html>