See RabbitMQ Release Series for a list of currently supported versions.

Vulnerabilities reported for versions out of support will not be investigated.

Please responsibly disclosure vulnerabilities to security@rabbitmq.com and include the following information:

• RabbitMQ and Erlang versions used
• Operating system used
• A set of steps to reproduce the observed behavior
• An archive produced by rabbitmq-collect-env

RabbitMQ core team will get back to you after we have triaged the issue. If there's no sufficient reproduction information available, we won't be able to act on the report.

RabbitMQ core team does not have a security vulnerability bounty programme at this time.