Home Explore Blog CI



docker
1st chunk of `content/manuals/security/faqs/general.md`
041fa2907386d5cba58774f1995197a160dc7f3da16c1bb40000000100000bfe
---
description: Find the answers to common security related FAQs
keywords: Docker, Docker Hub, Docker Desktop security FAQs, platform, Docker Scout, admin, security
title: General security FAQs
linkTitle: General 
weight: 10
tags: [FAQ]
aliases:
- /faq/security/general/
---

### How do I report a vulnerability?

If you’ve discovered a security vulnerability in Docker, we encourage you to report it responsibly. Report security issues to security@docker.com so that they can be quickly addressed by our team.

### How are passwords managed when SSO isn't used?

Passwords are encrypted and salt-hashed. If you use application-level passwords instead of SSO, you are responsible for ensuring that your employees know how to pick strong passwords, don't share passwords, and don't reuse passwords across multiple systems.

### Does Docker require password resets when SSO isn't used?

Passwords aren't required to be periodically reset. NIST no longer recommends password resets as part of best practice.

### Does Docker lockout users after failed sign-ins?

Docker Hub’s global setting for system lockout is after 10 failed sign in attempts in a period of 5 minutes, and the lockout duration is 5 minutes. The same global policy applies to authenticated Docker Desktop users and Docker Scout, both of which use Docker Hub for authentication.

### Do you support physical MFA with YubiKeys?

You can configure this through SSO using your IdP. Check with your IdP if they support physical MFA.

### How are sessions managed and do they expire?

By default, Docker uses tokens to manage sessions after a user signs in:

- Docker Desktop signs you out after 90 days, or 30 days of inactivity.
- Docker Hub and Docker Home sign you out after 24 hours.

Docker also supports your IdP's default session timeout. You can configure this by setting a Docker session minutes SAML attribute. For more information, see [SSO attributes](/manuals/security/for-admins/provisioning/_index.md#sso-attributes).

### How does Docker attribute downloads to us and what data is used to classify or verify the user is part of our organization?

Docker Desktop downloads are linked to a specific organization by the user's email containing the customer's domain. Additionally, we use IP addresses to correlate users with organizations.

### How do you attribute that number of downloads to us from IP data if most of our engineers work from home and aren’t allowed to use VPNs?

We attribute users and their IP addresses to domains using 3rd party data enrichment software, where our provider analyzes activity from public and private data sources related to that specific IP address, then uses that activity to identify the domain and map it to the IP address.

Some users authenticate by signing in to Docker Desktop and joining their domain's Docker organization, which allows us to map them with a much higher degree of accuracy and report on direct feature usage for you. We highly encourage you to get your users authenticated so we can provide you with the most accurate data.
Title: General Docker Security FAQs
Summary
This section answers common security-related questions about Docker. Topics include reporting vulnerabilities, password management, account lockout policies, multi-factor authentication, session management, and how Docker attributes downloads to organizations using email domains and IP addresses.