TrueNAS Security Advisories

iXsystems monitors TrueNAS and TrueCommand products for potential security vulnerabilities. Identified vulnerabilities are analyzed for exposure in iXsystems’ products. Each identified vulnerability assesses the exposure level to TrueNAS or TrueCommand and the vulnerability is assigned an iXsystems security rating. Security rating definitions and general iXsystems policies related to these ratings are described in iXsystems vulnerability definitions.

iXsystems recommends that all systems installed with TrueNAS or TrueNAS-related products are configured consistent with the security best practices guide available from the TrueNAS Documentation Hub.

Reporting Previously Unknown Vulnerabilities (Click to expand)

To report previously unknown vulnerabilities, create an iXsystems Jira account and open a new iX Security Disclosure. Include this information:

CVE number (when applicable)
Impacted product or software component
Software version
Vulnerability description and its location
Steps to reproduce the vulnerability
Proof-of-concept exploit code (when available)
Contact information for investigation follow-up and recognition

Tickets are confidential between the reporter and the iXsystems Security Team.

iXsystems acknowledges receipt of reported vulnerabilities and contacts the reporter to discuss the resolution plan, according to the vulnerability severity and impact. iXsystems does not currently support a monetary bug bounty program. However, public acknowledgement of researchers adhering to this policy is available. iXsystems supports the creation of new CVE entries for our products for unique and un-remediated vulnerabilities.

Published Advisories

Click a product card at the bottom of the page to see the latest published advisories, iXsystems’ responses, archived advisories, and any special security notices that are relevant to that product.