The Jenkins project takes security seriously and makes every possible effort to ensure users can adequately secure their automation infrastructure. Under the guidance of the Jenkins Security Officer, Jenkins 2.0 (and higher) include more secure defaults than previous releases of Jenkins.
Additionally, the Jenkins Security Officer, with help from members of Jenkins CERT work with security researchers, plugin and core developers to release security fixes and advisories for plugin and core in a timely manner.
From time to time, we issue a security advisory to report security problems in Jenkins. You can receive notifications for such advisories in one of the following ways:
jenkinsci-advisories@googlegroups.com (read-only) mailing list (list archive)
Archive of the past security advisories can be seen in the
jenkinsci-advisories mailing list and the security advisories list on this
wiki page.
If you find a vulnerability in Jenkins, please report it in the issue tracker under the SECURITY project. This project is configured in such a way that only the reporter and the core Jenkins developers can see the details.
By restricting the access to the potential sensitive information, we can work on the problem and deliver the fix before the method of attack becomes well-known.
For information on what makes a good report in general, see this Issue Tracking page.
If you are unwilling or unable to file an issue directly, please email your disclosure to the Jenkins CERT mailing list: jenkinsci-cert@googlegroups.com.