We always recommend using the latest version of Tracecat to ensure you get all security updates.
The following security features are available in Tracecat open source:
- SAML SSO
- Audit logs
- Workspaces to isolate resources
nsjailsandbox orpidruntime for isolated code and agent execution
Note
nsjail is the recommended executor runtime for production deployments. We do not accept reports related to "breakout" in the pid runtime using the UnsafePidExecutor.
nsjail is enabled by default for Helm chart / Kubernetes deployments only and must be explicitly enabled in other deployment options.
If you are a security researcher and have discovered a vulnerability, please follow the steps below:
- Open a new security advisory in GitHub.
- Our security team will get back to you as soon as possible.
- We will review the vulnerability and determine if it is a valid security issue.
- If it is a valid security issue, we will work with you to reproduce and fix it.
All reports are reviewed within 24 hours. Timeline for the fix is dependent on the severity of the vulnerability. As part of responsible disclosure, please report any security problems to us before disclosing it publicly.
Bounties and exclusive Tracecat merch may be offered depending on the severity of the vulnerability.