The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins published by the Jenkins project (listed on plugins.jenkins.io and/or hosted in the jenkinsci GitHub organization). This means that the Jenkins project assigns CVE IDs for vulnerabilities in these components.
Determining whether there is another CNA for a specific component can be challenging, especially if the companies have changed names, been acquired, or do not share a common name with the component itself. This means that the search is manual and a best effort approach.
If a CNA wishes to identify themselves for a particular component, they can use the contact information below. The same applies in response to an advisory, if a CNA was not found in our search, they can contact us to be included in our list for future reference.
Contact us at jenkinsci-cert@googlegroups.com if you have any questions about the Jenkins CNA.
| Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries. If we consider it necessary to provide a statement in response to incidents such as log4shell or SpringShell, you will find a response in our blog. |