Datadog's Response to Vector Security Vulnerabilities (GHSA-rrfg-9487-mhp6, GHSA-qp6f-fpfx-4gg6, GHSA-6342-xwvw-c637)
Datadog Logo

Trust Center

Start your security review
View & download sensitive information
ControlK

Overview

Welcome to Datadog's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.

Documents

Featured Documents

COMPLIANCEISO/IEC 27001
Knowledge Base (FAQ)
  • Do you maintain an approved Risk Management Policy?
  • Do you use firewalls?
  • Do you prohibit shared passwords?
  • Do you maintain an approved Media and Data Retention Policy?
  • Is the effectiveness of your company's security controls monitored by management?
View more

Risk Profile

We have secure, reliable hosting that customers can depend on. We are happy to provide details about our risk mitigation practices and recovery objectives upon request.

Trust Center Updates

Datadog's Response to Vector Security Vulnerabilities (GHSA-rrfg-9487-mhp6, GHSA-qp6f-fpfx-4gg6, GHSA-6342-xwvw-c637)

Copy link
Vulnerabilities

Summary

Datadog's security team was notified on June 18, 2026 of three vulnerabilities in Vector, the open-source data pipeline tool, reported by DeMarcus Campbell, Information Security at International Exchange, Inc. (ICE), through coordinated disclosure. Patches for all three issues are available in Vector v0.57.0, released on July 14, 2026. Our investigation found no evidence that these vulnerabilities were exploited in the wild or that any Datadog customer data was accessed or exfiltrated.

Advisory Details

GSHAAffected ComponentFixed In
GHSA-rrfg-9487-mhp6Vector logstash sourcev0.57.0
GHSA-qp6f-fpfx-4gg6Vector logstash sourcev0.57.0
GHSA-6342-xwvw-c637Vector file sink (template variables)v0.57.0

 

Full technical details, including CVSS scores and affected version ranges, are available in the GitHub Security Advisories linked above.

Timeline

  • June 18, 2026: Datadog notified of findings by International Exchange, Inc. (ICE).
  • June 18, 2026: Coordinated disclosure process initiated with Vector engineering team.
  • July 14, 2026: Patched version v0.57.0 was released; public advisory published July 14, 2026.

Vector is an open-source project and not a paid Datadog product; support is provided through public community channels (primarily GitHub Issues/Discussions), not Datadog Support.

If you have additional questions, reach out via your Customer Success Manager, Account Executive, or through Datadog Support.

Datadog's Response to Compromised AsyncAPI npm Packages

Incidents

We are aware of a supply chain attack in which four npm packages published by the AsyncAPI open source project, were compromised with malicious code on July 14, 2026:

  • @asyncapi/generator
  • @asyncapi/generator-helpers
  • @asyncapi/generator-components
  • @asyncapi/specs

Upon learning of this activity, Datadog's security team immediately investigated our potential exposure. As a result, we can confirm Datadog does not use any of the affected packages in our products or infrastructure. As an added precaution, we have blocked all known malicious versions of these packages, along with associated network infrastructure, across our internal systems.

For a detailed breakdown of the campaign and how you can assess impact in your own environment, refer to our Security Labs post.

If you have any further questions, our Support team is here to help.

Datadog's Response to Alert Notification Email Delivery Disruption

Incidents

What Happened

The domain dtdg.co (used to send certain Datadog notification emails, including Monitor Alerting notifications from alert@dtdg.co) was added to a small number of spam-reputation blocklists. This caused a subset of outbound emails from alert@dtdg.co to be silently rejected, dropped or marked as spam by recipient mail servers that consult these blocklists, without generating a bounce notification back to Datadog or to the sender.

This was an external deliverability issue, not a compromise of Datadog systems. We can confirm this incident did not involve unauthorized access to Datadog infrastructure, and no customer data was accessed or exposed as a result.

What Datadog Has Done To Address This Issue

Our team identified the root cause of dtdg.co being added to these blocklists. We engaged directly with the spam list providers to request delisting, and cleared the sending IPs that had been flagged. Email delivery from alert@dtdg.co has been restored, and we have validated that outbound notifications are again being delivered successfully.

Next Steps for Customers

  • Check your notification history within Datadog for the affected window (approximately July 7th–July 9th) to confirm whether expected alert@dtdg.co notifications were received

  • Confirm that dtdg.co is not independently blocklisted on your own mail infrastructure or spam-filtering tools, which could cause continued delivery issues on your end even though the upstream blocklisting has been resolved

  • Add dtdg.co as part of your allowlist within your mail infrastructure

    • Note–customers using EU or Govcloud sites should consider adding dtdg.eu and/or ddgov-gov.com to this allow list 
       
  • If email is your only configured notification channel for critical alerts, consider configuring a secondary notification channel (e.g., Slack, PagerDuty, webhook) as a resilience measure against future email-deliverability disruptions

Next Steps for Datadog

To reduce the risk of a similar disruption recurring, we have committed to the following near-term actions:

  • Adding protection mechanisms to our email/alerting systems and product, to reduce the risk of alert/notification emails from being dropped, silently rejected or marked as spam

  • Augmenting our email reputation monitoring infrastructure to more proactively detect if/when Datadog’s sending domains are still blocked

If you have any further questions, our Support team is here to help.

Datadog's Response to Phishing Emails Sent via Trial Accounts

Incidents

Datadog has identified a campaign where trial accounts were abused to send spam and phishing emails in breach of our Terms of Service. The accounts responsible have been terminated, and we have implemented controls to block monitor notifications from being sent to recipients outside the sending organization. We will continue to detect and respond to further attempts and are actively refining our controls to prevent unauthorized activity.

No Datadog customer data was exposed and no action is needed on your end.

If you received one of these emails, please disregard and delete it. Do not interact with any links it contains. If you clicked a link or took any action, we recommend reporting it to your organization's IT or security team.

FedRAMP® High Certification

Compliance

We're pleased to announce that Datadog for Government has achieved FedRAMP High certification, the U.S. federal government's most rigorous authorization for cloud service providers handling sensitive, unclassified data.

For details on what this means for your organization and our ongoing commitment to trust and accountability, please see our press release and blog post.

Built onSafeBase by Drata Logo