Vulnerability disclosure policy
An important part of Yugabyte's strategy for building a secure platform for our users is vulnerability reporting. We value working with the broader security research community and understand that fostering that relationship will help Yugabyte improve its own security posture. We take vulnerabilities very seriously regardless of source, and strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum. Our goal is to surface vulnerabilities and resolve them privately before they can be exploited.
Covered list. We commit to investigate and address any reported issues, and request that you use the following process for the reporting of security vulnerabilities in the following products:
- YugabyteDB Anywhere
- YugabyteDB Managed
- YugabyteDB Voyager
- Any Yugabyte web properties
NoteCustomer sites hosted on YugabyteDB Managed are out of scope of this process. We suggest that you report such vulnerabilities to the owner of the customer site, and we will do the same when possible.
We will keep all information you provide to us confidential.
We assure you that we will not initiate legal action against researchers who are acting in good faith and adhering to this process.
Report the Concern. If you have any security concerns or would like to report undisclosed security vulnerabilities in our products or services, please email us at email@example.com. Note that we do not accept bug reports at this address.
Include Details. Please provide as much information as you can about the potential vulnerability, including but not limited to the following:
- Detailed summary of the vulnerability.
- Attack surface (for example, URL and parameters).
- Potential weakness (for example, brute force, SQL injection).
- Tools used to exploit the potential vulnerability (for example, operating system configuration and browser).
- Proof of concept of how the vulnerability can be exploited (for example, sample code and steps to reproduce the vulnerability).
- Severity level (for example, low-medium-high-critical, or use the CVSS 3.1 score estimation tool).
- Any plans for public disclosure.
- Preferably, send a plain-text email for each vulnerability you are reporting.
Vulnerabilities in Other Open Source Projects. We incorporate software from other open source projects, and welcome vulnerability reports for those. However, you should also report those vulnerabilities directly to the affected project.
Use Common Sense. Please use common sense when looking for security issues with our products. Attacking or compromising Yugabyte users' installations, or attacks on our infrastructure are not permitted.
We will promptly investigate any reported issue and respond to your submission as soon as we can. In certain cases, we may work privately with you to resolve the vulnerability. We may choose not to disclose information publicly while we investigate and mitigate any risk.
Upon validation and appropriate mitigation (if any) of the risk, we will alert affected customers, and add the CVE to the following list.
Security tracker: CVE list
|Product||Resolution||CVE||Affected versions||Fixed in||Status|
|YugabyteDB||Fixed: update to v188.8.131.52 or later||CVE-2022-37397||v184.108.40.206||v220.127.116.11||Resolved|
NoteOur release notes contain up-to-date information on security vulnerabilities and available patches.