Security Reporting

Reporting a Security Issue

If you believe you have discovered a security issue within a Directus product or service, please open a new private security vulnerability report through GitHub. Alternatively, reach out to us directly over email: security@directus.io. We will then open a GitHub security advisory for tracking the fix on your behalf.

Directus values the members of the independent security research community who find security vulnerabilities and work with our team so that proper fixes can be issued to users. Our policy is to credit all researchers in the fix's release notes. In order to receive credit, security researchers must follow responsible disclosure practices, including:

• They do not publish the vulnerability prior to the Directus team releasing a fix for it
• They do not divulge exact details of the issue, for example, through exploits or proof-of-concepts

You can learn more about how we approach security and compliance at Directus here.

Approach to Vulnerability Management

Directus takes a proactive approach to security by continuously monitoring for vulnerabilities using automated tools as part of our engineering pipelines. We are committed to addressing all High and Critical severity vulnerabilities that directly affect Directus. Our priority is to resolve vulnerabilities that impact Directus itself immediately, with fixes posted to the Security tab on GitHub after release.

For third-party package vulnerabilities that do not cause any vulnerability in Directus itself, we evaluate these on a case-by-case basis and address them during our regular dependency update cycles. We also work to resolve Medium and Low severity issues when they represent minimal effort to fix. This focused approach ensures we allocate our security resources effectively while maintaining the highest standards of protection for our users.