The KNIME Security Team provides help and advice to KNIME software users on security issues and coordinates the handling of security vulnerabilities.
Reporting a vulnerability
We strongly encourage you to report potential security vulnerabilities to our security team first, before disclosing them in a public forum.
Only contact the security team to report undisclosed security vulnerabilities in KNIME software products and services and manage the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security-related queries. We will ignore mail that does not relate to an undisclosed security problem in KNIME software products and services.
The security team's mailing list address is: firstname.lastname@example.org. This is a private mailing list.
Please send one plain-text email for each vulnerability you are reporting. We may ask you to resubmit your report if you send it as an image, movie, HTML, or PDF attachment when you could as easily describe it with plain text.
You do not need to encrypt submissions, and it takes us longer to respond to encrypted reports. There is no team key for
email@example.com; instead you can use the OpenPGP keys of the following subset of members of the KNIME Security Team. Note that this is not a complete list of KNIME Security Team members and that you should not contact these members individually about security issues.
- Sebastian Bogan - FD67 9443 9127 8E40 9550 0B4B C338 3308 B334 501B - keys.openpgp.org
- Thorsten Meinl - A979 94F2 5057 7838 BE37 BBB9 424F AED3 011C 9ECB - keys.openpgp.org
We do our best to acknowledge reception of a report within one business day.
You can find information on known vulnerabilities for KNIME software product at XXX. Do not ask the KNIME Security Team directly about:
- how to configure KNIME Software securely
- whether a published vulnerability applies to specific versions of KNIME Software you are using
- whether a published vulnerability applies to the configuration of the KNIME Software you are using
- obtaining further information on a published vulnerability
- the availability of patches and/or new releases to address a published vulnerability
An overview of the vulnerability handling process is:
- The reporter reports the vulnerability privately to the KNIME Security Team.
- The KNIME Security Team team works privately with the reporter to resolve the vulnerability.
- KNIME creates a new release of the product the vulnerability affects to deliver its fix and optionally provides instructions for workarounds to prevent the vulnerability from being exploited.
- KNIME publicly announces the vulnerability and describes how to apply the fix.