Reporting a security issue in Tuleap

All security bugs in Tuleap should be reported by emailing

A member of our security team will your vulnerability report within 3 business days, and you will receive a response indicating the next steps in handling your report.

Vulnerabilities in third-party applications should be reported to their respective maintainers. The Tuleap security team is not responsible for the security of these applications but will attempt to contact the third-party maintainer if an issue is brought to his attention.

If you feel it is necessary, you can use the GPG key displayed below to transmit securely your report.

Any efforts made for improving the security of the Tuleap software or its users will be greatly appreciated by the Tuleap community. If you want your disclosure will be publicly acknowledged in the public report. Please refrain from requesting compensation for reporting vulnerabilities. At this time the Tuleap project does not deliver bounties.

Issues not affecting the security of the Tuleap software but of one of the services managed for the Tuleap community (such as issues affecting the website) can be reported under the same guidelines but do not warrant a public acknowledgment. SPF, DKIM, or DMARC issues in one of the services managed for the Tuleap community must not be reported.

Coordinated Disclosure Guidelines

The Tuleap community would be grateful if security researchers comply with the following guidelines while researching and reporting vulnerabilities:

  • Do not test for vulnerabilities on instances you do not own. Tuleap is an open-source software, you can install your own copy or use our Docker image to quickly get a playground.
  • Confirm the vulnerability exists in the most recent stable or development version.
  • Allow the security team enough time to correct the reported vulnerability before publicly identifying or disclosing it.

Our security team follows the following guidelines:

  • Vulnerability reports can take some time to be resolved but every effort will be made to handle a bug in as timely a manner as possible.
  • Advisories for the reported vulnerabilities are made public one week after the publication of a major Tuleap release including the fix in the Tuleap bug report tracker.
  • Security researchers and their findings are respected and will be publicly acknowledged if they wish.
  • No legal threats nor punitive actions against security researchers for reporting vulnerabilities will be made.