Our Security Commitment
Open source means transparent. We proactively publish our vulnerability response process and welcome continuous scrutiny from the global security research community.
How We Handle Security Vulnerabilities
Report Received
Acknowledged within 24 hours and a security engineer is assigned to investigate.
CVSS Assessment
Scored using CVSS 3.1 to determine severity and scope of impact.
Patch Development
Critical vulnerabilities (CVSS 7.0+) target a 7 business-day fix cycle.
Public Disclosure
Full CVE record published with affected versions and fix details.
Report vulnerabilities to: [email protected]
Submit Security ReportSelf-Hosted vs Cloud-Hosted PAM: Data Sovereignty Compared
Cloud-Hosted PAM (SaaS)
- Credentials stored on third-party cloud servers
- Session recordings uploaded to vendor's cloud
- Vendor outages affect your availability
- A vendor data breach becomes your data breach
- Audit data subject to vendor's access policies
- No full control over data residency
JumpServer Self-Hosted
- Credentials stored on your own infrastructure
- Session recordings stay within your network
- No external dependency — availability is under your control
- Attackers cannot target what doesn't exist externally
- Audit data accessible only by your team
- Full compliance with data sovereignty regulations
Resolved Vulnerability Records
We believe transparency is the foundation of security. Below are records of major resolved vulnerabilities.
| CVE ID | Severity | Affected | Fixed In | Status |
|---|---|---|---|---|
| CVE-2023-42820 | High | v3.6.0 - v3.6.4 | v3.6.5 | Fixed |
| CVE-2024-49769 | Medium | v3.10.0 - v3.10.8 | v3.10.9 | Fixed |
| CVE-2024-49770 | Medium | v3.10.0 - v3.10.8 | v3.10.9 | Fixed |
| CVE-2024-49771 | High | v3.10.0 - v3.10.8 | v3.10.9 | Fixed |
For the complete list, see GitHub Security Advisories.
Security Starts with Transparency
JumpServer is open-source, self-hosted, and continuously audited by the global security community.