Security Issues

Reporting a Security Vulnerability

We take the security of our software seriously. If you believe you have found a security vulnerability in an Icinga product, please report it to us using one of the two methods below.

We accept only security related issues through these channels. For bugs and feature requests please use the projects issue tracker. When we receive an issue and agree it is a vulnerability, we will contact you and plan the next steps together.

For a full list of all Icinga related CVEs, please visit cve.mitre.org.

1. GitHub Private Vulnerability Reporting (Recommended)

The fastest way to report a vulnerability for a specific project is through GitHub. This allows for secure, private communication directly within the context of the source code.

• Navigate to the Security tab of the relevant Icinga repository on GitHub.
• Select Report a vulnerability to open a private draft.
• Provide a detailed description, steps to reproduce, and any potential impact.

2. Email via PGP

If you prefer not to use GitHub, or if the issue spans multiple projects or affects any of Icinga’s web services, you can contact our security team via email.

• Email: security(at)icinga.com
• Encryption: To ensure confidentiality, you can encrypt your message using our PGP Public Key.
• Fingerprint: 4A7E 2D51 E626 E324 87E4 D9A7 AA5F 3BFF 899B 6DA5 and the
• Key ID AA5F3BFF899B6DA5.

You can download our public key from keys.openpgp.org, search for the email address or key ID.

What to include in your Report

To help us resolve the issue as quickly as possible, please include:

• The specific product and version affected.
• A descriptive title and severity assessment.
• A proof-of-concept (PoC) or clear steps to reproduce the behavior.
• Any suggestions for mitigation or a fix.

We ask that you follow Responsible Disclosure guidelines. Please give us a reasonable amount of time to fix the issue before publishing any information regarding the vulnerability.