Infrastructure Security

Infrastructure Security

This process should be followed for reporting issues with Puppet Labs infrastructure such as:

  • yum/
  • and any of our other web properties other than the Forge

While we do believe in crediting security researchers who make valuable contributions to our product security, note that we do not typically provide such credit for minor infrastructure security issues on our web properties.

Note that we do not consider the following class of issues to be report-worthy when they relate to our infrastructure:

  • Software version/Banner disclosure
  • Directory traversal on yum/apt/ where traversal is explicitly desired
  • Self-XSS/CSRF on unauthenticated web forms (including logout CSRF)
  • Disclosure/Discovery of known public files or directories(e.g., robots.txt, simple DNS enumeration)
  • Brute Force attempts (e.g., Login Page/Forgot Password without lockouts)
  • Account enumeration (e.g., enumerating Login/Reset fields for valid accounts without lockouts)

To contact the Puppet Labs Infrastructure team, please use the email address:

Product Security

This process should be followed for reporting issues with any Puppet Labs Products such as Puppet Enterprise, Puppet and MCollective, as well as the Puppet Forge. This process should also be followed for any security issues related to packages we distribute, however please follow the Infrastructure Security process for the infrastructure hosting those packages (yum/, etc.)

If you wish to contact the Puppet Labs Security Team via encrypted communication, we encourage you to use our GPG Public Key:

Puppet Labs Security Team <>
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6

The key is available in ASCII encoded format here. It can also be retrieved and verified from the MIT Key Server.

Puppet Labs is happy to fully disclose all details of a security vulnerability but in the interest of coordinated disclosure we do ask security researchers and other stakeholders to allow us sufficient time to patch the vulnerability before publishing the details.

We believe in crediting security researchers based on the value of the contributions provided. Our security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly and the top individuals are publicly credited on our website. Additional credit will be awarded to those that provide code fixes or additional information about how to fix the disclosure.

Security Disclosures

Infrastructure as Code – Automation of Your Cloud Operations

Infrastructure as Code – Automation of Your Cloud Operations

Azure MVP Matous Rokos and Ken Kaban from PowerON discuss the power of automation and templates for Azure best practice. If you would like to learn more, visit our website:
Alternatively, please email us at:
Are you following us on social media? We post updates everyday.

[huge_it_video_player id=”1″]