Overview

Security is a top priority at n8n. Our Vulnerability Disclosure Program (VDP) gives researchers a safe, formal channel to report issues so we can keep the platform secure and reliable for the companies who depend on it.

Assets

This section lists assets in scope for the VDP. Any asset not listed here is out of scope.

In-scope assets

We encourage security research on the following assets:

• n8n Cloud Platform: All applications and services running on our cloud infrastructure.
  • *.n8n.cloud
  • creators.n8n.io
  • app.n8n.cloud

Testing guidelines

• Self-hosted: Use a local, up‑to‑date self‑managed instance for self‑hosted findings.
• Cloud: Create your own trial account on n8n Cloud. Do not test with accounts you do not own. Sign up here: app.n8n.cloud

Out of scope

To avoid disruption to users, employees, and partners, these are out of scope:

• Third‑party services not hosted by n8n, including the helpdesk (e.g., Zammad), payment processor (e.g., Paddle), our community forum (https://community.n8n.io/), and any third‑party integrations you connect to your instance.
• Marketing and documentation sites: https://n8n.io/ and https://docs.n8n.io/.
• Corporate IT infrastructure: Internal corporate systems, employee devices, and office networks.
• Social profiles and publishing platforms (e.g., Twitter, LinkedIn, YouTube).

Rules of engagement

By participating, you agree to these terms.

✅ Our expectations