Vulnerability Program Active

Report a Security Vulnerability

We take the security of GeoServer and our users' data seriously. If you believe you've discovered a vulnerability, we encourage responsible disclosure.

Reporting Guidelines

✅ In-Scope Targets

GeoServer core platform & APIs (WMS, WFS, WCS)
Authentication & session management
Data encryption & key management
Cloud infrastructure & deployment configs
Third-party integrations & SDKs

🚫 Out-of-Scope

DDoS or social engineering attacks
Self-XSS or browser-side vulnerabilities
Missing security headers (unless critical)
Vulnerabilities in third-party software
Issues requiring privileged access

📝 What to Include

Clear title & severity assessment
Step-by-step reproduction instructions
Proof of concept (PoC) or logs
Impact description & suggested mitigation
Your contact information for follow-up

How to Submit

Direct Submission Channels

📧

Primary Email security@geoserver.io

🔐

PGP Public Key Fingerprint: 8A2B 4C9D 1E3F 0011 2233 4455 6677 8899 AABB CCDD

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF6xY8YBCAD...[truncated for security]...vZ
=4aRk
-----END PGP PUBLIC KEY BLOCK-----

We recommend encrypting sensitive details. Our team monitors this inbox 24/7.

Secure Web Submission

Your Contact Email

Target Component

Vulnerability Description

Do not include actual exploit code or sensitive data. We will request PoC if needed.

Disclosure Process & SLA

Acknowledgment

You will receive an automated confirmation followed by a human review.

Within 24 hours

Triaging & Validation

Our security engineering team will verify the report, assess severity, and assign a CVE if applicable.

Within 5 business days

Remediation & Patching

We will develop, test, and deploy a fix. Critical vulnerabilities may trigger emergency releases.

14–30 days based on severity

Resolution & Recognition

Once patched, we will notify you. Researchers may be credited in our security acknowledgments or eligible for our bug bounty.

Post-deployment