Responsible Disclosure
We value the security community and prioritize the security of our systems. We encourage the responsible disclosure of security vulnerabilities to help us protect the security and privacy of our users and customers.
Reporting a Vulnerability
If you believe you have found a security vulnerability in Langfuse, please send an actionable vulnerability report to [email protected].
Please include the following details in your report:
- A clear description of the vulnerability, including its potential impact.
- Steps to reproduce the vulnerability, including any specific configurations or conditions required.
- Any proof-of-concept code, scripts, or screenshots that demonstrate the vulnerability.
We will acknowledge receipt of your report, typically within 2 business days, and will work with you to understand and resolve the issue.
Our Commitment
- We will investigate reported vulnerabilities promptly.
- We will keep you informed of our progress.
- We will take appropriate steps to remediate confirmed vulnerabilities.
- We will publicly acknowledge your contribution if you wish, once the vulnerability is fixed.
Bug Bounty Program
Please note that we currently do not operate a formal bug bounty program with monetary rewards.
Hall of Fame
We appreciate the efforts of security researchers who help keep Langfuse secure. The following individuals have responsibly disclosed vulnerabilities that led to improvements:
| Reported by | PR with fix | Description |
|---|---|---|
| Ather Iqbal | #4434 | Password complexity + block links in user name |
Contact
For all security-related inquiries, including vulnerability disclosures, please contact [email protected].