Get started on your path to becoming a ScyllaDB NoSQL database expert.Take a Course
We take security seriously. If you believe you have discovered a potential security vulnerability in one of our products, we encourage you to discreetly report it, via the dedicated form below, quickly and responsibly to us.
This program is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This program describes what systems and types of research are covered under this program, how to send ScyllaDB vulnerability reports, and what timelines to expect from our end.
ScyllaDB may modify the terms of this Bug Bounty Program from time to time and such updated terms, once posted on ScyllaDB website, shall govern. We recommend that you periodically review the terms, to see if any changes were introduced as reflected in the “Last Updated” date hereinabove.
If you make a good-faith effort to comply with this program during your security research, we will consider your research to be accepted. We will work to understand and resolve the issue quickly.
Under this program, “research” means activities in which you:
Once you’ve established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Some of our systems may be eligible for bounties. Those can be successfully shown to compromise the confidentiality, integrity, or availability of information relating to our clients and our secrets will be considered.
Please find below the current list of bounty-eligible systems (such list may change from time to time at our sole discretion).
ScyllaDB web site domains and any related subdomains are out of scope.
The following activities are out of scope for the ScyllaDB Bug Bounty Program. Conducting any of the activities below will result in disqualification from the program permanently.
In case a vulnerability report will be submitted about an item that is included in the above list, ScyllaDB will not review and the report will be rejected.
We accept vulnerability reports via this Google form only.
Each report is cataloged, dated, and scrutinized for its scope and risk level.
To enable us to respond more efficiently to your report, kindly provide any relevant supporting materials (such as proof-of-concept code, tool output, etc.) that would aid us in comprehending the nature and severity of the vulnerability.
Reported vulnerabilities of a the same reported issue previously, will be rejected.
ScyllaDB is committed to being responsive and keeping you informed of our progress as we investigate and/or mitigate your reported security concerns. You will receive a non-automated response to your initial contact as quickly as possible, confirming receipt of your reported vulnerability and assigning you a tracking number. The amount of time required to validate a reported vulnerability can change per case, and it depends on the complexity and severity of the issue. We make every effort that all reports and answers will be provided no longer than 120 days.
The findings would be categorized according to the Risk Analysis by level
ScyllaDB requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, respond to the notification, and notify key users, customers, and partners.
Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in an ScyllaDB product, this will be shared with you.