The project maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!

Please DO NOT file a public issue, instead send your report privately to security@docker.com.

Explanation of BuildKit security boundary and what we consider a security issue can be found in here. If you are unsure if you have found a security issue, it is always better to check privately first.

Security reports are greatly appreciated, and we will publicly thank you for it (if you want to). We also like to send gifts—if you're into schwag, make sure to let us know. We currently do not offer a paid security bounty program, but are not ruling it out in the future.