Security issues

Responsible Vulnerability Disclosure

Elastic values our partnership with the security community and shares the goal of keeping our users and the internet safe. Please report potential security vulnerabilities affecting any of Elastic's products, the Elastic Cloud Service, or the elastic.co website via our HackerOne bug bounty program. For detailed scope and rules of engagement please refer to our HackerOne program policy

Under the principles of Coordinated Vulnerability Disclosure, Elastic analyzes potential security vulnerabilities to identify any recommended mitigations or product updates and coordinates disclosures via Elastic Security Advisories (ESA) and the CVE program. Elastic requests that you do not post or share any information about potential vulnerabilities in any public forum until we have researched and responded to the issue.

Other security issues

Users and customers may report any other potential security issues to security@elastic.co. This address can be used for product security related inquiries or requests about other security topics that are not explicitly mentioned here. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on or raised to Elastic Support.  

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available via keyservers; search for 'security@elastic.co'. Example on OpenPGP

Elastic Security Advisories

An Elastic Security Advisory (ESA) is an announcement about a security issue with one or more Elastic products. Elastic assigns a CVE and an ESA identifier to each advisory and publishes a summary of the issue with remediation and mitigation details. All new advisories are announced in the Security Announcements forum. Subscribe to these announcements by clicking the bell icon and selecting 'Watching' on the forum page or, alternatively, via the RSS feed.