EDB Vulnerability disclosure policy

EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers.

Introduction

This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EnterpriseDB.

Audience

This policy outlines the procedure for external security researchers, customers, partners, and the wider community to report potential security vulnerabilities. If you believe you have discovered a potential security vulnerability impacting EnterpriseDB, please follow our reporting process set forth below.

Reporting vulnerabilities

If you have identified a potential security vulnerability, please notify us at disclosures@enterprisedb.com.

The following should be included in your message:

  • Description - detailed information about the nature of the vulnerability
  • Proof of Concept - including steps to reproduce the issue, uncompiled source code, and/or screen shots
  • Impact - the potential impact, and any relevant technical details.
  • Remediation recommendations
  • References if available

If, during the course of your research, you suspect you have encountered sensitive information, immediately cease all activities and contact us at security@enterprisedb.com.

Our commitments

When a vulnerability report is received, we commit to:

  • Acknowledging receipt of your vulnerability report in a timely manner.
  • Validating the reported vulnerability.
  • Prioritizing and resolving validated vulnerabilities, communicating progress and mitigation actions as appropriate.
  • Notifying you when the vulnerability is resolved, where possible.

Safe harbor

We appreciate the security community’s efforts to help us identify and securely remediate any vulnerabilities that may impact EnterpriseDB or our customers. When you investigate and report vulnerabilities under this policy, we grant you a “safe harbor,” and will not pursue claims against you for any lawful conduct.

Confidentiality

Please do not share information about the vulnerability with others until we have had reasonable time to address it. If you have discovered a vulnerability, please do not disclose it publicly without our consent.

Rewards

While we don't have a formal bug bounty program, we recognize and appreciate the valuable role that security researchers play in the discovery and mitigation of vulnerabilities. EnterpriseDB may, at its own discretion, provide rewards for the disclosure of previously unknown vulnerabilities, depending on their severity and impact.

Disclaimer

While we strive to acknowledge, triage and respond to all reports as quickly as possible, this policy does not constitute a binding agreement.

Out of scope

The following types of attacks are out of scope and are not eligible for a reward or covered under safe harbor:

  • Brute force attacks such as credential stuffing, dictionary attacks, password spraying and any use of botnets (crawling our sites and services is okay)
  • Denial of service attacks such as distributed denial of service, advanced persistent denial of service and certain types of application layer attacks
  • Information disclosure that only contains version information unless that information is included in a working proof of concept
  • Missing best practices in regards to header configurations, SPF/DKIM/DMARC records and SSL/TLS configurations
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions
  • Clickjacking on pages with no sensitive actions
  • Vulnerabilities that only affect users of outdated or unpatched software or services

Thank you for helping to keep EnterpriseDB and our customers safe!

By submitting a vulnerability, you acknowledge that you have read and agreed to this policy.

Please note that this policy may be updated from time to time. Please refer to the latest version before reporting a vulnerability.

Change history

DateDescriptionVersion
July 20th 2023Document creation1.0

Could this page be better? Report a problem or suggest an addition!