Does Caddy team pay attention to vulnerabilities and exploits reported at Vulmon

My friend and I were comparing Caddy to Nginx in terms of available vulnerabilities and exploits as reported at Vulmon.

Caddy:
https://www.vulmon.com/searchpage?q=caddy&sortby=byrelevance

It seems that the most recent one was just one minor version ago (2.5.2 is the current version as of creating this topic):

My topic here is to get some “official” policy, if I can say so, regarding such openly reported and discoverable reports. Just wanted to find out if they are on your radar and how much of the priority you give to those.

For reference, my friend refused to even try Caddy after comparing it to Nginx in that database - he said he’d prefer to wait till Caddy is more mature in terms of security and there are no recent vulnerabilities reported. This got me curious and hence the topic.

That CVE is bogus and has been contested/rejected:

I wish people would do more thorough research.

1 Like

Okay, makes sense. Nonetheless, the question stays unanswered.

We give valid security reports the highest priority. Simpler and more severe vulnerabilities are patched first.

(You don’t hear about it much because there aren’t many of them.)

I see. Thank you for clarifying. I checked in the changelog and could not see detailed info about it, hence asking.

1 Like