Vulnerability Management
This page explains the processes and tools that Teleport uses to manage vulnerabilities in our products and supply chain.
Vulnerabilities in Teleport
Teleport uses the following methods to discover vulnerabilities in the code we write:
- Multiple peer reviews on all production code changes
- Several penetration tests per year
- Annual red team engagements
- Bug bounty program
- LLM review of changes and existing code
Vulnerabilities in Teleport's supply chain
Teleport employs several software composition analysis tools to surface known vulnerabilities in the open source packages we use within the product.
Container images
Our container images are rebuilt nightly to pull in security updates from upstream base images.
Software libraries
We use GitHub Dependabot and govulncheck to inventory known vulnerabilities in our software library dependencies.
On a nightly basis, we run govulncheck on the master branch and the release branches for supported Teleport versions to identify known CVEs impacting our product. Vulnerabilities which are not reachable from our code are not raised by govulncheck.
Dependabot runs continuously on the master branch to identify a broader set of software libraries with known vulnerabilities regardless of whether they impact Teleport.
When known vulnerabilities are flagged by these tools, we prioritize updating them promptly. Even when the issue does not impact Teleport, we address them in order to reduce the noise customers experience from their own scanners.
These updates are backported to supported release branches of Teleport as well.
SLAs
The timelines above reflect our typical procedures. We also maintain the following policy level SLA commitments to patch vulnerabilities in both our code and our dependencies.
These timelines are based on the severity of the vulnerability as determined by our team based on its impact to our product.
| Severity | Service Level Agreement |
|---|---|
| Critical | 30 days |
| High | 60 days |
| Medium and Low | At our discretion |
Exceptions
In some cases, vulnerabilities cannot be patched within our typical update cadence. This may be because fixes are not yet available, upstream maintainers determined the CVE was not valid, or the fix breaks important functionality.
If Teleport's product is not impacted by the vulnerability, we will wait until an official patch can be applied safely.
If Teleport's product is impacted by the vulnerability, we will seek an alternative mitigation strategy, and may require additional time to implement it safely.