> ## Documentation Index > Fetch the complete documentation index at: https://www.activepieces.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Security Advisory Response > Internal lifecycle for handling security reports from intake to public disclosure A security advisory is the public artifact we publish after a vulnerability is reported and fixed. This playbook is the lifecycle that produces one. Reporter-facing policy lives in [SECURITY.md](https://github.com/activepieces/activepieces/blob/main/SECURITY.md). ## Triage Reproduce locally before scoring. If it doesn't reproduce, ask the reporter for clarification. Compare against the **Out of scope** list in [SECURITY.md](https://github.com/activepieces/activepieces/blob/main/SECURITY.md). If out of scope, reply with the reason and close. Use the [FIRST calculator](https://www.first.org/cvss/calculator/4-0). Record the score and vector. \ Buckets: 0.1–3.9 low, 4.0–6.9 medium, 7.0–8.9 high, 9.0–10 critical. Reply to the reporter with severity, expected resolution date, and a confidentiality reminder. Clock starts at the report timestamp. ## Private fix Repo → **Security** → **Advisories** → **New draft security advisory**. \ Set affected versions, severity, and a neutral summary. \ Save as draft. You'll fill the rest of the metadata in [Draft advisory](#draft-advisory) later. From the draft advisory, click **Start a temporary private fork**. \ Fix on a `security/` branch inside it. Run `npm run lint-dev`, `npm run test-unit`, `npm run test-api`. \ Add a regression test. Merge the PR inside the private fork. A public PR or push collapses the embargo. Double-check the remote URL before pushing. ## Draft advisory In the draft advisory: **CVE ID** → **Request CVE**. GitHub assigns one within \~1 business day. Fields must match the in-app `SecurityAdvisory` shape: `summary`, `description`, `severity`, `cvssScore`, `vulnerableVersionRange` (e.g. `< 0.71.1`), `patchedVersion`. Use the [advisory body template](#advisory-body-template) for the `description`. Default 60 days. Hold publication until the patch is on cloud production and customers have been notified. Publish sooner if actively exploited or the reporter has set an earlier date. ## Patch release Always a patch bump (e.g. `0.71.0` → `0.71.1`). Never bundle with feature commits. Follow the cloud-hotfix flow in [Releases](/handbook/engineering/playbooks/releases): `deploy/cloud/YYYY-MM-DD` branch, then trigger `continuous-delivery-cloud.yml` with `cloud-hotfix`. Patch-bump root [package.json](https://github.com/activepieces/activepieces/blob/main/package.json). Bump `packages/shared` if touched. If the fix has a migration, set `release = ''` per [Database Migrations](/handbook/engineering/playbooks/database-migration). Wait for canary to confirm before promoting to production. Draft (don't post yet) for [docs/about/changelog.mdx](https://github.com/activepieces/activepieces/blob/main/docs/about/changelog.mdx): ```mdx theme={null} ### Security Fixed (, ). Upgrade to immediately. ``` ## Customer disclosure 7-day lead time before public publication. Patched version must already be on cloud production before sending. ``` Subject: [Security] Activepieces advisory — patched in Cloud customers are already protected — the fix was deployed on . Self-managed customers should upgrade to before , when we'll publish CVE on GitHub. Mitigation if you cannot upgrade: ``` Re-confirm the disclosure date with the reporter before sending. ## Public publication In the draft advisory, click **Publish advisory**. This makes the CVE public. Confirm the new advisory appears on the platform health page (`/platform/infrastructure/health`). Source feeds cache for 15 minutes, so allow that delay before troubleshooting. Commit the changelog entry drafted in [Patch release](#patch-release). ## Postmortem Required for high/critical, optional for medium, skip for low. Create `docs/handbook/engineering/postmortems/YYYY-MM-DD-.mdx` using the existing structure (see [2026-03-19 Redis and delay overload](/handbook/engineering/postmortems/2026-03-19-redis-and-delay-overload)). ## References * [SECURITY.md](https://github.com/activepieces/activepieces/blob/main/SECURITY.md) * [GitHub Security Advisories docs](https://docs.github.com/en/code-security/security-advisories) * [FIRST CVSS 4.0 calculator](https://www.first.org/cvss/calculator/4-0) ## Advisory body template ```markdown theme={null} ## Summary One paragraph plain-language explanation of the vulnerability — what it is, no exploit detail. ## Impact What an attacker can achieve, what data or systems are at risk, and which versions and configurations are affected. ## Patches The patched version and how to upgrade. ## Workarounds Mitigations available to users who cannot upgrade immediately, or note that the only safe option is to upgrade. ## References The fix commit (visible after publication), related CVEs or upstream advisories, and reporter credit. ```