Pumba follows a rolling-release model. Security fixes are applied only to the latest released minor version on the master branch. Users are strongly encouraged to run a recent release.
| Version | Supported |
|---|---|
| latest release | ✅ |
| older releases | ❌ |
The current release is tracked in VERSION and on the Releases page.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Report vulnerabilities privately using GitHub's private vulnerability reporting:
- Go to the repository's Security tab
- Click Report a vulnerability
- Fill out the advisory form with as much detail as possible
If you cannot use GitHub's reporting flow, contact the maintainer at alexei.led@gmail.com with the subject line [pumba security]. Encrypt sensitive details if needed.
- Affected version(s) and environment (Docker / containerd version, OS, arch)
- Steps to reproduce, a proof-of-concept, or a minimal test case
- Observed and expected behavior
- Impact assessment (privilege escalation, container escape, DoS, information disclosure, etc.)
- Any known mitigations or workarounds
| Step | Target |
|---|---|
| Acknowledgement of report | within 7 days |
| Initial triage & severity | within 14 days |
| Fix or mitigation released | best effort, depending on severity and complexity |
This is a volunteer-maintained project; timelines are best-effort. You will be kept informed of progress.
- Reports are handled under coordinated disclosure
- A CVE will be requested for confirmed vulnerabilities with real-world impact
- A GitHub Security Advisory will be published once a fix is available
- Reporters will be credited in the advisory unless they prefer to remain anonymous
- The
pumbabinary and source code under this repository - The official container images published to
ghcr.io/alexei-led/pumbaandgaiaadm/pumba - The helper images
pumba-alpine-nettoolsandpumba-debian-nettools - Example Kubernetes and OpenShift manifests under
deploy/
- Vulnerabilities in upstream dependencies (Docker Engine, containerd,
tc/iptables,stress-ng) — report those to their respective maintainers - Misuse of Pumba against systems without authorization (Pumba is a chaos testing tool; destructive behavior is the point)
- Issues that require the attacker to already have root on the host or control of the Docker/containerd socket (these grant full control of the runtime regardless of Pumba)
- Example/demo scripts in
examples/intended for local experimentation
Pumba interacts directly with the container runtime and requires privileged access. When deploying:
- Run Pumba only in non-production or controlled chaos-engineering environments
- Limit access to the Docker/containerd socket to trusted users
- Use
--labelfilters to scope chaos to intended targets - Pin container image tags to immutable digests (
@sha256:...) in production-adjacent environments - Review the deployment manifests before applying to any cluster
This repository uses:
- CodeQL (
security-extended,security-and-quality) on every PR and weekly - golangci-lint with
gosecfor static analysis - GitHub Actions with least-privilege
permissions:blocks
Thank you for helping keep Pumba and its users safe.