Product Security at Elastic

Safeguarding our customers and community is our top priority; they  are at the heart of everything we do. We deeply value our partnership with the security community, and share the goal of keeping our users and the internet safe. 

It is vital that we are notified as early as possible regarding any security issues within our products and services. This page outlines the policies and procedures for reporting vulnerabilities found within Elastic’s own software and services.

Responsibly Reporting Vulnerabilities

To ensure the security of our users and Elastic, as well as proper tracking and triage, we do not accept or process security vulnerability bug reports submitted through GitHub Issues, email, social media, or other platforms. Please select the reporting channel that best fits your relationship with Elastic:

1. Individuals: If you are a security researcher, a community user, or simply not a commercial customer of Elastic, please exclusively report through our bug bounty program

   • Submission Channel: https://hackerone.com/elastic

2. Customers & Partners: All security-related concerns identified by existing customers and partners of Elastic are handled through established direct channels. Customers are therefore advised to reach out through those communication channels.

Coordinated Disclosure Policy

Under the principles of Coordinated Vulnerability Disclosure, the Elastic Product Security team working with Elastic Engineering analyzes reported vulnerabilities to identify recommended mitigations or product updates.

Please Note: We request that you do not post or share any information about potential vulnerabilities in any public forum until we have researched and responded to the issue via our official channels.

Security Advisories 

When a vulnerability is confirmed and resolved, we publish an Elastic Security Advisory (ESA). This serves as the official announcement regarding security issues within Elastic products.

Elastic is an authorized CVE Numbering Authority (CNA) where we assign CVE IDs to vulnerabilities and publish Common Vulnerability Enumeration (CVE) Records where our policy depends on where the vulnerability originates:

• Elastic Software: For vulnerabilities identified within code produced by Elastic, we assign a unique CVE ID and publish the CVE Record to the NVD database alongside the ESA to our own portal at discuss.elastic.co.
• Third-Party Dependencies: If a vulnerability exists in a third-party library or dependency bundled with our software, we do not assign a new CVE ID. Instead, the ESA will reference the existing upstream CVE ID defined by the third party.
  

Each advisory includes:

• An ESA identifier 

• The applicable CVE ID (either Elastic-assigned or Upstream)
• A summary of the issue
• Affected Versions
• Remediation and mitigation details
• Severity rating using Common Vulnerability Scoring System (CVSS)

How to stay informed:

• View Advisories: Elastic Security Announcements 
• Subscribe via Discuss: Click the bell icon and select 'Watching' on the page above
• Subscribe via RSS Feed: Elastic Security Announcements RSS Feed 

Other Security Inquiries

If you have a security-related inquiry that is not a security vulnerability bug report e.g., questions about our encryption standards, compliance, vulnerability scanner results, inquiries about published CVEs, you may contact the Product Security team directly.

• Email: security@elastic.co

PGP key fingerprint:

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2 

Note: You can encrypt your messages with the PGP key above if there is sensitive information within the email. This key is available via keyservers e.g. OpenPGP