Pulumi Security

Pulumi takes security and privacy matters very seriously. We appreciate that our customers and users place a high degree of confidence and trust in our products and services and we strive to meet those expectations.

Pulumi Service Security

Pulumi Service, our managed service for using Pulumi open source, is multi-tenanted and runs within an AWS Virtual Private Cloud (VPC), whose only Internet-addressable endpoints are https://api.pulumi.com or https://app.pulumi.com. All communications between Pulumi clients and the server are encrypted using TLS. Pulumi is SOC 2 Type II certified.

For more details on Pulumi’s product architecture and security practices, please read our security whitepaper (last updated October 24, 2022).

Vulnerability Reporting

If you believe you’ve discovered a potential vulnerability in Pulumi’s security, please contact us at [email protected]. For non-critical matters please file an issue with Pulumi support.

When reporting a potential vulnerability, please include as much of the following information as possible.

A description of the vulnerability
The impacted software or service and its version
Proof-of-concept code and/or detailed steps to reproduce

Secure Communications

If you’re a security researcher and you believe that you have found a security issue within any of our services, email the details of your findings to [email protected]. Use PGP to protect the message by using our public PGP key.

Public Notifications

Public security notifications are posted in the #announcements channel of the Pulumi Community on Slack.

Learn more

Download our whitepaper to learn more about our product architecture and security practices.

Download Whitepaper

Talk to a human

Have questions about Pulumi? We're happy to help.

Talk to a human