Overview

At n8n, protecting our product and users' data is a top priority. Our mission, to enable flexible AI automations, depends on trust.

The n8n Vulnerability Disclosure Program (VDP) provides a safe, formal channel for security researchers to report vulnerabilities. We partner with the community to identify and fix issues so our platform remains secure and reliable for the companies that depend on us.

We encourage responsible disclosure and appreciate the community’s help in keeping n8n safe. 🙏

Assets

This section lists systems, applications, and codebases in scope for the n8n Vulnerability Disclosure Program.

<aside> ⚠️

Any asset not explicitly listed here is out of scope.

</aside>

In-Scope Assets

We encourage security research on the following assets:

• n8n Cloud Platform: All applications and services running on our cloud infrastructure.
  • *.[n8n.cloud](<http://n8n.cloud>) - all cloud instances
  • creators.n8n.io - creators portal
  • app.n8n.cloud - cloud dashboard

Testing Self-Hosted Instances

For self-hosted vulnerabilities, conduct research on a local, self-managed instance running the latest version.

Testing Cloud Instances

To test authenticated Cloud functionality, please sign up for a free trial account on n8n Cloud. Do not use accounts that are not your own.

Out-of-Scope Assets

To avoid disruption to users, employees, and partners, the following are out of scope. We will not accept submissions related to these assets.

• Third-Party Services: Any service not hosted by n8n. This includes, but is not limited to:
  • Our helpdesk provider (e.g. Zammad)
  • Our payment processor (e.g. Paddle)
  • Our community forum (https://community.n8n.io/)
  • Any third-party integrations or services you connect to your n8n instance.
• Our main marketing and documentation websites:
  • https://n8n.io/
  • https://docs.n8n.io/
• Corporate Infrastructure: n8n's internal corporate IT systems, employee laptops, and office networks.