At Chef we take security seriously. Whether it is the code we write, the software we use or the platform we provide, security is always extremely important. We know that you rely on Chef to help grow and manage the critical moving pieces of your business, and we are committed to protecting your investment.


Security Policy

Chef is a company built on community and trust. We firmly believe that transparency and honesty are the only ways to build and maintain that trust. At Chef, we promise to disclose all relevant information in the event of a security incident, however our first directive is to keep our customers secure and operational. In the event that disclosure may increase the risk to our customers, we ask for sufficient time to resolve the vulnerability before sharing the information.

Another aspect of community is the goal of contributing to the health of the group as a whole. Any individual or group that discovers and subsequently notifies Chef, of a current or potential issue, is fully credited for their contribution (unless requested otherwise).

View our security notices

Need to report a security bug/vulnerability?

Found something that should be brought to the attention of Chef? You can submit your findings to

We will respond to your query within one (1) business day. If you have not received a response, please ensure that any communication from Chef is not in junk-mail or spam-filters. If you ever feel we are not communicating in a timely fashion, please consider posting your question or concern on the Chef Mailing List.

Note: The Chef Mailing List is a public list, accessible to anyone that wishes to join. Please do not discuss sensitive information in your posting, rather, say that you are attempting to get feedback from the Chef Security Team.

How do I track my submission? What is the process?

Upon submission of an issue, it will be evaluated and reproduced to validate the bug. You will receive a response notifying you that we are working on the issue, and will get back to you shortly. The vulnerability will be categorized, ranked and prioritized. At that time you will receive a follow up email with the expected resolution time. A blog post will be created crediting the submitter (unless requested otherwise), and a link to the blog post will be archived on this page.