Paketo Buildpacks provides a single point of contact for the reporting of security vulnerabilities in our codebases and coordinates the process of investigating any reports. Please limit notifications to those vulnerabilites that are not already disclosed publicly or belong to software that is owned by Paketo Buildpacks. To notify of vulnerabilites in other software impacting Paketo Buildpacks codebases, please file an issue in the impacted codebase.

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.

The e-mail address to use is security@lists.paketo.io.

Please note that the e-mail address above should only be used for reporting undisclosed security vulnerabilities in open source Paketo Buildpacks codebases and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries at this address.

If you wish to send encrypted email, our public key can be obtained from a public key server such as keys.openpgp.org. The fingerprint is: 3DAE AB7E 64A8 05DC 0538  FF7E A24D 7559 B7C9 D390