---
title: "Report a Vulnerability"
url: "https://docs.caracal.run/security/disclosure/"
markdown_url: "https://docs.caracal.run/markdown/security/disclosure.md"
description: "How to report Caracal security vulnerabilities responsibly."
page_type: "reference"
concepts: []
requires: []
---

# Report a Vulnerability

Canonical URL: https://docs.caracal.run/security/disclosure/
Markdown URL: https://docs.caracal.run/markdown/security/disclosure.md
Description: How to report Caracal security vulnerabilities responsibly.
Page type: reference
Concepts: none
Requires: none

---

Report suspected vulnerabilities privately. Do not open public issues for credential exposure, policy bypass, unsafe execution, exploitable operational failures, or other security defects.

## Reporting Channels

| Channel | Use for |
| --- | --- |
| GitHub private advisory | Open-source Caracal vulnerabilities: `https://github.com/Garudex-Labs/caracal/security/advisories/new` |
| Email | Sensitive reports, attachments, patches, exploit demonstrations, or enterprise-related reports: `support@garudexlabs.com` |

Enterprise-related vulnerabilities must be reported by email, not GitHub advisories.

## Email Format

```text
Subject: [SECURITY][caracal] Short description

1. Summary
2. Steps to reproduce
3. Impact
4. Affected area
5. Suggested fix
6. Attachments
```

Keep reports clear, reproducible, and private. Do not include secrets in public channels or public pull requests.

## Response and Disclosure

The maintainers aim to review and respond within up to 7 days. Resolution timing depends on complexity and validation needs. Public disclosure should wait until a fix or mitigation is available or maintainers decide not to address the issue.

## Related Pages

- [Security Policy in the repository](https://github.com/Garudex-Labs/caracal/blob/main/.github/SECURITY.md)
- [Respond to Incidents](/operations/incident-response/)
- [Review the Threat Model](/security/threat-model/)
