# Security Policy

## Supported Versions

See [RabbitMQ Release Series](https://www.rabbitmq.com/versions.html) for a list of currently supported
versions.

Vulnerabilities reported for versions out of support will not be investigated.


## Reporting a Vulnerability

Please responsibly disclosure vulnerabilities to `security@rabbitmq.com` and include the following information:

 * RabbitMQ and Erlang versions used
 * Operating system used
 * A set of steps to reproduce the observed behavior
 * An archive produced by [rabbitmq-collect-env](https://github.com/rabbitmq/support-tools/blob/main/scripts/rabbitmq-collect-env)
 
 RabbitMQ core team will get back to you after we have triaged the issue. If there's no sufficient reproduction
 information available, we won't be able to act on the report.
 
 RabbitMQ core team does not have a security vulnerability bounty programme at this time.