Only the latest release is supported. Always consume the newest tagged version.
Please do not report security vulnerabilities through public GitHub issues.
- Go to the GitHub Security Advisory page
- Click "Report a vulnerability"
- Fill out the advisory form with detailed information
- Submit the advisory
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Affected versions (if known)
- Suggested fix (if you have one)
Due to limited development resources:
- Initial Response: we aim to acknowledge receipt within 48–72 hours
- Assessment: initial assessment within about a week
- Resolution: timeline depends on severity, typically 1–4 weeks
- Disclosure: coordinated disclosure after a fix is available
Core Provisioner is a Vagrant driver that runs on a developer or build host. The security-relevant areas are:
- The bootstrap SSH keypair (
ssh_keys/) — deliberately public, exactly like Vagrant's well-known insecure key. It exists only to reach a freshly booted box. Machines that keep it reachable after provisioning are misconfigured: enablevagrant_ssh_insert_keyso the key is rotated and synced back at provision time. - The certificate set (
ssls/) — a deliberately public development CA and default-signed pair, shipped inside the driver and synced to/secure/on dev machines. It exists so dev machines have working TLS out of the box. Never add it to a production trust store; bring your own certificates by replacing the files in the working copy'sdriver/ssls/. Hosts.ymlis trusted input — values from it are interpolated into provider and shell commands on the host. Only run configurations you wrote or trust.- Release integrity — release assets are immutable and ship
.sha256sidecars; consumers must verify checksums after download. - Supply chain — Dependabot and CodeQL run against this repository.
Contributors who responsibly report security vulnerabilities will be acknowledged here (with their permission):
- No vulnerabilities reported yet