News KrakenD v2.9.2 and v2.9.3 security releases

Background Pattern

KrakenD Security Policy

Safeguarding your privacy and data

KrakenD takes cybersecurity seriously.

KrakenD’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

We drive our company and craft our software without taking shortcuts, making it solid and reliable and free of practices that might introduce future security problems.

Our policies are designed to ensure:

Infrastructure security

We implement strict security measures to protect our infrastructure and ensure system integrity. Our practices include things like enforced unique authentication, access restrictions, real-time monitoring, and network Security.

In addition, KrakenD does not offer any online application to users, reducing the attack surface.

Product security

Our software is secure by design. The Zero-trust design is the foundational philosophy of the software we build. From blocking unauthorized access to rejecting untrusted traffic by default or even not logging sensitive data, KrakenD ensures a minimal attack surface by enforcing strict controls over headers, parameters, and tokens. Read more

KrakenD’s stateless architecture is a fundamental differentiator, ensuring there is no persistent state or centralized database eliminating coordination vulnerabilities and simplifying multi-region deployments. All configuration is declarative and immutable, enabling full reproducibility and auditability via GitOps practices.

KrakenD aligns with OWASP best practices and protects against common attack vectors including XSS, CSRF, clickjacking, MIME sniffing, and more. Built-in capabilities such as token validation, API key authentication, header manipulation, circuit breaking, IP filtering, and traffic rate-limiting further enhance security posture.

All releases undergo internal security validation. Our build pipeline ensures only signed, verified code is published, and release artifacts are integrity-checked. Every single commit is tested for vulnerabilities using multiple third-party tools. All commits are subject to additional peer review.

KrakenD is a CVE Numbering Authority (CNA)

KrakenD is also recognized as a CVE Numbering Authority (CNA) for software distribution and open-source projects, you can find us in the CVE Partners List.

We are partnering with the CVE Program to assign CVE IDs and publish CVE Records publicly for vulnerabilities within any KrakenD software or the Lura Project (© the Linux Foundation), so we:

  • Demonstrate mature vulnerability management practices and a commitment to cybersecurity to customers and open-source users.
  • Communicate value-added vulnerability information to our user base.
  • Assign public CVE IDs.
  • Streamline vulnerability disclosure processes.

How do we apply fixes

When you report a new vulnerability, KrakenD investigates the issue and tries to reproduce it. Sometimes there are vulnerabilities in external open-source libraries we use. These vulnerabilties do not necessarily transfer to KrakenD as most of the times we include a limited number of their functionality, and this has to be analyzed case by case. We don’t have a policy of updating to latest versions of these libraries if there is no reason for it.

Once the vulnerability is confirmed, KrakenD creates a new CVE ID that is not disclosed publicly until there is a fix for it.

We work on the fix that is applied to the latest version, which makes a new release of the software. We don’t patch prior versions, although some KrakenD Enterprise customers could have justified exceptions to this rule.

Once the sofware is corrected, we publish the new release and announce it through several channels: Security Advisories, Github release (open source only), Newlsetter (see at the bottom of this page), and optionally social media.

How to report a vulnerability

If you are an existing KrakenD customer or partner, please submit a support ticket or contact KrakenD through any Enterprise channels explaining your findings.

If you are not a customer, please email [email protected] with your discovery.

As soon as we read and understand your finding we will provide an answer with next steps and possible timelines.

Credits and rewards

We want to thank you in advance for the time you have spent to follow this issue, as it helps all users. We develop our software in the open with the help of a global community of developers and contributors with whom we share a common understanding and trust in the free exchange of knowledge.

KrakenD’s policy is to credit and reward all researchers provided they follow responsible disclosure practices:

  • They do not publish the vulnerability prior to KrakenD releasing a fix for it.
  • They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code.
  • KrakenD does not credit employees of KrakenD for vulnerabilities they have found.

Current rewards could include (but are not limited to):

  • Addition of the researcher (full name or alias) to the CVE ID.
  • Public acknowledgement in release notes when a fix for reported security bug is issued
  • Addition to the KrakenD Contributors Github organization
  • Opportunity to meet with our technical staff
  • KrakenD swag

KrakenD DOES NOT provide cash awards for discovered vulnerabilities at this time.

Organizational security

KrakenD follows a security-first development culture and enforces internal protocols to safeguard systems and customer data. All customer data is processed with strict isolation, and our internal systems adhere to a minimal access policy with enforced multi-factor authentication and role-based access control.

Internal security procedures

We operate under a principle of least privilege, with infrastructure access tightly controlled and monitored. Employee devices follow strict security baselines and run MDM software on their computers to ensure security. We regularly audit access to infrastructure and code repositories. Our developers follow secure coding practices aligned with OWASP recommendations, and security reviews are part of every product release cycle.

Data and privacy safeguard

KrakenD does not store, log, or retain customer traffic or API data, this is a fundamental design decision. All data and traffic is hosted and run by our customers and KrakenD employees do not have access to it. In addition, our stateless architecture inherently minimizes risk exposure for customers. For Enterprise customers, additional security features such as mutual TLS (mTLS), FIPS compliance, and integration with multiple identity providers ensures regulatory compliance and robust data protection aligned with GDPR and other standards.

Stay up to date with KrakenD releases and important updates