Pulumi Security

Pulumi takes security and privacy matters very seriously. We appreciate that our customers and users place a high degree of confidence and trust in our products and services and we strive to meet those expectations.

Pulumi Service Security

Pulumi Service, our managed service for using Pulumi open source, is multi-tenanted and runs within an AWS Virtual Private Cloud (VPC), whose only Internet-addressable endpoints are https://api.pulumi.com or https://app.pulumi.com. All communications between Pulumi clients and the server are encrypted using TLS. Pulumi is SOC 2 Type II certified.

For more details on Pulumi’s product architecture and security practices, please read our security whitepaper (last updated October 24, 2022).

Vulnerability Reporting

If you believe you’ve discovered a potential vulnerability in Pulumi’s security, please contact us at [email protected]. For non-critical matters please file an issue with Pulumi support.

When reporting a potential vulnerability, please include as much of the following information as possible.

Secure Communications

If you’re a security researcher and you believe that you have found a security issue within any of our services, email the details of your findings to [email protected]. Use PGP to protect the message by using our public PGP key.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF16mUgBEADCPyLVKy1pv0cFI6YWfMeRHZG1PmTQSs8g/roqoD+ESETLqBQ3
q8HW1v0yJqYhbTuZjox39+e47/0LJhBE0GXwCER6xASw7sqGlZ2wzmrS0SYKXyS8
ilzKcQmhM6wOLf/AzK+caWjdtm0netvhoeB8DYtJxxcMZwlT+iHVjqh1YOIRnAAl
o44LXuxRUqIz89M8eplRmHNi4BpvAjLbnR4Jg+D1up19K5K793dI15zAf5msEUmS
2KQ4OON8ZvNkdkOcd+hMKk5yclAicfHL9ocKF9V2Tm7xzKP+xQBN9QMHvcVJ3XLj
HbR/cICWkur9lmr5pQkLUF44aN891d+8j2uIgMHIyv7dz3cae6tWP5L/qZyaBUKG
W2Af4+ef8ybUVRIJdjchsANNdGF4lVz7VtUdcrsPhJ/O6NmS+3zb26Mk2OnG455P
uBdtdRVVaHsoLgJ69O2sSBYYKAQbRZtAXxvzVyX0lajOy/iUSR7icdlzI9n9c0Gh
F/2cflOf4CWX81r0R/z2ntF/npuFYgJYKQIejEkDprCWXlkifKgV1jDkQfqqpdTq
CFafqwVhpuH0nPaAItaRWyhig/rDkBKaEo1c6bQpmtiUtSAysi2wLKl+Fcs3H6QG
58/QogfQxcA0SDICGdKeT3dk/5U6qPCvJU/bZBEHJk0wzQ3IqocM9JFU1wARAQAB
tB1QdWx1bWkgVGVhbSA8dGVhbUBwdWx1bWkuY29tPokCVAQTAQgAPhYhBMu4nB58
v6pZbLnlFlR1Bin0/5VZBQJdeplIAhsDBQkHhh+ABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEFR1Bin0/5VZMGQP/35Ty7CKBon3exbgrWforVxnVRszkN02A9N8
H8mV+Y0SniaKvN5MCLTMtQWDmvfsIZNBvdH+EnnL4554R7ApJNMp6EzTMkHrpQby
x+6M6rk0x/tdVEI6aQmjUIXWWY9O6nJ3BcHGg5kVQc5qXFeFdOT+KNVgiUt9MzxM
Eupik9/UNtkJ9hgMAV3ZwmHopO91X6uYTiX+fxpaH24wIRon9NmlVzsb6CYbq2N3
ShRJ0l4/HkiA4CqtWykWCGF0UtySOYvRTAvkNS/rXu4ZETfux8HZ2pneB9+D+3Wu
ej4NH2lsNdL1VdiZm8AJkWsLhONsC0b6X9iymsEfexOpaTksouQOudzq1ghv0LMI
XS85H7TIdm5OQ3g3ew3JwUGyOM1jhAvIGCiBbl1c6RG43Wir+ceSgCZlc0N0NX1B
zcU7OidYGKTf3HWMYIvuM+NZUcoBZ/1ejQlKgKe5gRyq5yYz4jblWJFW+HQO0zgT
qr4vymZcm2HMz80BI2o424xP63ofctsVkGmLoXvN0H+ZacDn4Q/C8d0cJAPgryTa
gCPdnxfxuFQw44Mk0hYYCPLK8moEsZtOw0UGLzWvk8dM5zFRHdTxOdzO9rrZEkqm
tDTj8Ycxo2rkuMU8HyTaUHZY6QFbjGMJ0m6Mh7uO/4jLyXBiKwc1dv3Nr31lG4hp
4akixk7WuQINBF16mUgBEACq2Z/3L87QiiIWbBgvSb14phznDwSWMZ9HPduimamV
paS7te1spxsavyV3xBoMYcD/fxcM/tEJotF2OP5H6kWe0PDyNbYkv4cb4hoN2b78
JlKCD40PHg8ZsoUFywmWxRl3Uer5lcaqACysxcSALyr7ryhTbjaLr6s4OZjAgNTW
orsD8TSyk4czeEJsYqV8Au+sU+zZpQmz3IzA43fUfdy47c0aQLqiSuj1ymTpJGeN
4tuxicT0eQEiO68ySMVAfuOAJzYIcTTiasN+YS6nwe8l84iwv8bSA9aAntAjasl6
UYz2YwodZRX3thWcNh1jwlS9naPA87pfy5azcjyPstqcu/KgDCvVJa2OAxdKTQOS
NbFY/GNxUCVBSEJUAMuO/danNOTQsR+FWCsfbZegazdDUTjAsNZdWgZ4DIBNcErX
WlaY3JNjLc8dNVTMdsxpHu8J4cTEQpxXDdpxXe7DMg1QtjaBNHTMbGMweuCypPOt
J96Il8SI37XBlfxAoehZHJVDABTfg5ieCmXhlfmHez7Ow5J6wI9RlNydLTa+THIk
9xJG6InlZNWFfSAx4QLsOgTeoLMjEdF6MiOuV6Iipf6nt56uJohuFHzE/NAs1+pP
Vts5rIHnnG4OOAg7X9ZzUZY6RFXrjZn5om6dhhL6KTDm+TBF+xbJZ1cGmOWZnfEl
jwARAQABiQI8BBgBCAAmFiEEy7icHny/qllsueUWVHUGKfT/lVkFAl16mUgCGwwF
CQeGH4AACgkQVHUGKfT/lVnY2A/7Btm4qKmwwpFKV683+WsTYs4P++SxO8kO7L53
xYqqEzPLSqKS1YAnTivkYREe6A/8B6v3rDH4/btg0PLZ8qJIesH55NViTKD/9OC9
S8j87/FHh3AQP2PFBR7zMO8ny6MBZLZ7PPYzyl92RlScGA8KC/D5N4X+ULrpihxM
y1xmRd7hkih5JRL3kBvxIso8LWDBhzh/FjWQJuVV7ZGYETi7Nksq2tzwne50nVqS
/EBojCQF8yCjIEs8NPdha1aGcNiwtasbWOARvN77PukgIdMa7WoG0cTEbpDGVMtB
uLyZ51xGjIa3gCxBfCg9ktMYOGa5fu5BIi9BJrFaLd4eXIoQq60h4P3zMexu0sfh
aVg5btUTy/Ufe/zVQkl/TwFRWmpcORPcB4upuFuB39GOhD+De4UCVWvRvoIww+IM
aS4oYmsrS83MnTI4kN3+xEiRJaXF4Y4LB4VwJDArZiz00aDiJQJpH94VvZbKgWSX
qd1vZIcFE7Vh0Mvx9KSyyhSx5AOO43UXC1GlG7lTvZN70yqFukcMPKjWgC6MjAQm
Ska9hJu+9cKvItwYz2D5sacdA+3KJTI8MY8kgXDgQjVt3Rs1AoQ3ftd1UsWIfwQ5
5MkOj4N82OHZHDs3r545Kp7Wrs2ubyq87OBg0C2x8zIncaSWtSkPT/GQGy1nvF4b
8KpnpD4=
=+A0k
-----END PGP PUBLIC KEY BLOCK-----

Public Notifications

Public security notifications are posted in the #announcements channel of the Pulumi Community on Slack.

Learn more

Download our whitepaper to learn more about our product architecture and security practices.

Download Whitepaper

Talk to a human

Have questions about Pulumi? We're happy to help.

Talk to a human