# Security Policy ## Scope This security policy applies to : - Crowdsec agent - Crowdsec Local API - Crowdsec bouncers **developed and maintained** by the Crowdsec team [1] Reports regarding developements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nonetheless. [1] Projects developed and maintained by the Crowdsec team are under the **crowdsecurity** github organization. Bouncers developed by community members that are not part of the Crowdsec organization are explictely excluded. ## Reporting a Vulnerability We are extremely grateful to security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization. You can email the private [security@crowdsec.net](mailto:security@crowdsec.net) list with the security details and the details expected for [all Crowdsec bug reports](https://github.com/crowdsecurity/crowdsec/blob/master/.github/ISSUE_TEMPLATE/bug_report.md). You may encrypt your email to this list using the GPG key of the [Security team](https://doc.crowdsec.net/docs/next/contact_team). Encryption using GPG is NOT required to make a disclosure. ## When Should I Report a Vulnerability? - You think you discovered a potential security vulnerability in Crowdsec - You are unsure how a vulnerability affects Crowdsec - You think you discovered a vulnerability in another project that Crowdsec depends on For projects with their own vulnerability reporting and disclosure process, please report it directly there.