Where to report GitHub Actions workflow security findings?

amadhan882 · April 11, 2026, 12:48pm

Hi Community Members,

I’ve been reviewing the GitHub Actions workflows in this repository
and identified some potential security concerns.

Before submitting, I want to confirm the correct channel. Your VDP
at Report a vulnerability lists in-scope assets as
*.n8n.cloud and app.n8n.cloud — but my findings relate to the
GitHub Actions workflow files in this repository.

Could you clarify:

Are GitHub Actions workflow security issues in scope for your VDP?
Should I submit via Report a vulnerability or GitHub
private security advisories?

I have not disclosed any details publicly and will wait for your
guidance before submitting anything.

Thanks,

Anshul_Namdev · April 11, 2026, 12:55pm

Hi @amadhan882 Welcome!
For information you should reach out to [email protected] and they would be able to clarify more clearly, also n8n maintains their vulnerability program here:
Security Advisories · n8n-io/n8n · GitHub

But i would really say that the [email protected] is the place you should feel free to disclose the things and what you find which can be a potential risk.