- Do you maintain an approved Risk Management Policy?
- Do you use firewalls?
- Do you prohibit shared passwords?
- Do you maintain an approved Media and Data Retention Policy?
- Is the effectiveness of your company's security controls monitored by management?
Risk Profile
We have secure, reliable hosting that customers can depend on. We are happy to provide details about our risk mitigation practices and recovery objectives upon request.
Trust Center Updates
Datadog's Response to Vector Security Vulnerabilities (GHSA-rrfg-9487-mhp6, GHSA-qp6f-fpfx-4gg6, GHSA-6342-xwvw-c637)
Summary
Datadog's security team was notified on June 18, 2026 of three vulnerabilities in Vector, the open-source data pipeline tool, reported by DeMarcus Campbell, Information Security at International Exchange, Inc. (ICE), through coordinated disclosure. Patches for all three issues are available in Vector v0.57.0, released on July 14, 2026. Our investigation found no evidence that these vulnerabilities were exploited in the wild or that any Datadog customer data was accessed or exfiltrated.
Advisory Details
| GSHA | Affected Component | Fixed In |
|---|---|---|
| GHSA-rrfg-9487-mhp6 | Vector logstash source | v0.57.0 |
| GHSA-qp6f-fpfx-4gg6 | Vector logstash source | v0.57.0 |
| GHSA-6342-xwvw-c637 | Vector file sink (template variables) | v0.57.0 |
Full technical details, including CVSS scores and affected version ranges, are available in the GitHub Security Advisories linked above.
Timeline
- June 18, 2026: Datadog notified of findings by International Exchange, Inc. (ICE).
- June 18, 2026: Coordinated disclosure process initiated with Vector engineering team.
- July 14, 2026: Patched version v0.57.0 was released; public advisory published July 14, 2026.
Vector is an open-source project and not a paid Datadog product; support is provided through public community channels (primarily GitHub Issues/Discussions), not Datadog Support.
If you have additional questions, reach out via your Customer Success Manager, Account Executive, or through Datadog Support.
Datadog's Response to Compromised AsyncAPI npm Packages
We are aware of a supply chain attack in which four npm packages published by the AsyncAPI open source project, were compromised with malicious code on July 14, 2026:
- @asyncapi/generator
- @asyncapi/generator-helpers
- @asyncapi/generator-components
- @asyncapi/specs
Upon learning of this activity, Datadog's security team immediately investigated our potential exposure. As a result, we can confirm Datadog does not use any of the affected packages in our products or infrastructure. As an added precaution, we have blocked all known malicious versions of these packages, along with associated network infrastructure, across our internal systems.
For a detailed breakdown of the campaign and how you can assess impact in your own environment, refer to our Security Labs post.
If you have any further questions, our Support team is here to help.
Datadog's Response to Alert Notification Email Delivery Disruption
What Happened
The domain dtdg.co (used to send certain Datadog notification emails, including Monitor Alerting notifications from alert@dtdg.co) was added to a small number of spam-reputation blocklists. This caused a subset of outbound emails from alert@dtdg.co to be silently rejected, dropped or marked as spam by recipient mail servers that consult these blocklists, without generating a bounce notification back to Datadog or to the sender.
This was an external deliverability issue, not a compromise of Datadog systems. We can confirm this incident did not involve unauthorized access to Datadog infrastructure, and no customer data was accessed or exposed as a result.
What Datadog Has Done To Address This Issue
Our team identified the root cause of dtdg.co being added to these blocklists. We engaged directly with the spam list providers to request delisting, and cleared the sending IPs that had been flagged. Email delivery from alert@dtdg.co has been restored, and we have validated that outbound notifications are again being delivered successfully.
Next Steps for Customers
-
Check your notification history within Datadog for the affected window (approximately July 7th–July 9th) to confirm whether expected alert@dtdg.co notifications were received
-
Confirm that dtdg.co is not independently blocklisted on your own mail infrastructure or spam-filtering tools, which could cause continued delivery issues on your end even though the upstream blocklisting has been resolved
-
Add dtdg.co as part of your allowlist within your mail infrastructure
- Note–customers using EU or Govcloud sites should consider adding dtdg.eu and/or ddgov-gov.com to this allow list
- Note–customers using EU or Govcloud sites should consider adding dtdg.eu and/or ddgov-gov.com to this allow list
-
If email is your only configured notification channel for critical alerts, consider configuring a secondary notification channel (e.g., Slack, PagerDuty, webhook) as a resilience measure against future email-deliverability disruptions
Next Steps for Datadog
To reduce the risk of a similar disruption recurring, we have committed to the following near-term actions:
-
Adding protection mechanisms to our email/alerting systems and product, to reduce the risk of alert/notification emails from being dropped, silently rejected or marked as spam
-
Augmenting our email reputation monitoring infrastructure to more proactively detect if/when Datadog’s sending domains are still blocked
If you have any further questions, our Support team is here to help.
Datadog's Response to Phishing Emails Sent via Trial Accounts
Datadog has identified a campaign where trial accounts were abused to send spam and phishing emails in breach of our Terms of Service. The accounts responsible have been terminated, and we have implemented controls to block monitor notifications from being sent to recipients outside the sending organization. We will continue to detect and respond to further attempts and are actively refining our controls to prevent unauthorized activity.
No Datadog customer data was exposed and no action is needed on your end.
If you received one of these emails, please disregard and delete it. Do not interact with any links it contains. If you clicked a link or took any action, we recommend reporting it to your organization's IT or security team.
FedRAMP® High Certification
We're pleased to announce that Datadog for Government has achieved FedRAMP High certification, the U.S. federal government's most rigorous authorization for cloud service providers handling sensitive, unclassified data.
For details on what this means for your organization and our ongoing commitment to trust and accountability, please see our press release and blog post.










