Skip to content

Nautobot Security

Nautobot's development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined below and in the SECURITY.md published to GitHub.

Security Tools Used

The Nautobot development team currently makes use of the following tools, among others, to help ensure Nautobot's security:

Mend Renovate

We use Renovate to automatically keep Nautobot's library dependencies appropriately updated on a regular cadence. In general we use Renovate to update library patch versions in Nautobot patch releases, and update libraries to their latest minor or major releases (where appropriate and possible) in Nautobot minor/major releases, but of course there may be exceptions depending on the versioning methodology of each library.

A representative example pull request opened by Renovate is #6689.

GitHub Dependabot

We use Dependabot to automatically notify us when security issues are identified in Nautobot's library dependencies as well as when an updated library is available containing a security fix.

A representative example pull request opened by Dependabot is #6073.

Snyk

We use Snyk to monitor the Nautobot code base on an ongoing basis for potential security vulnerabilities.

An example of a security improvement resulting from Snyk code analysis is #5054.

Ruff

We use Ruff as a linting tool, in part to proactively detect potential security vulnerabilities in updated or newly introduced code through its security-related rule sets, such as "S".

Security Vulnerability Reporting

We appreciate the time security researchers and users contribute to reporting vulnerabilities to the Nautobot Community.

If you feel your report is safe for public disclosure (a CVE related to a dependency, or a low-risk bug) please feel free to open a bug issue on GitHub.

If you are unsure of the severity of your report or you feel it should not be publicly disclosed until a fix has been released, you can also email security@nautobot.com with the security details.

You may encrypt your email with the GPG keys of the security response members below. While accepted, encryption using GPG is NOT mandatory to make a disclosure.

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in Nautobot
  • You are unsure how a vulnerability affects Nautobot
  • You think you discovered a vulnerability in another project that Nautobot depends on

When Should I NOT Report a Vulnerability?

  • You need help configuring Nautobot security settings (such as external authentication)
  • You need help applying security related updates
  • Your issue is not security related

Security Response Team

Below are the current team members responsible for receiving and triaging Nautobot security issues.

Security Vulnerability Response

Each report is acknowledged and analyzed by security response members within five (5) working days.

Any vulnerability information shared with security response members stays within the Nautobot project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

Public Disclosure Timing

A public disclosure date can be negotiated by the Nautobot maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of ten (10) days. The Nautobot maintainers hold the final say when setting a disclosure date.

Accepted disclosures will be published on GitHub and will also be added to the Nautobot documentation.