Kong Security Update Process

Once a report is received, we will investigate the vulnerability and assign it a CVSS score which will determine the timeline for the development of an appropriate fix.

Fix Development Process

If a discovered vulnerability with a CVSS score above 4.0 (medium severity or higher) affects the latest major release of the Kong gateway or other Kong software, then we will work to develop a fix in the most timely fashion. The work and communication around the fix will happen in private channels, and a delivery estimate will be given to the vulnerability reporter. Once the fix is developed and verified, a new patch version will be released by Kong for each supported Kong Gateway release and for the current release of the open source gateway. We will disclose the vulnerability as appropriate.

Vulnerabilities affecting upstream projects (e.g. NGINX, OpenResty, OpenSSL…) will receive fixes as per the upstream project’s disclosure timeline.