Announcing ScyllaDB 6.0 — True Elastic Scale | Learn More

ScyllaDB Bug Bounty Program

Introduction

We take security seriously. If you believe you have discovered a potential security vulnerability in one of our products, we encourage you to discreetly report it, via the dedicated form below, quickly and responsibly to us.

This program is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This program describes what systems and types of research are covered under this program, how to send ScyllaDB vulnerability reports, and what timelines to expect from our end.

ScyllaDB may modify the terms of this Bug Bounty Program from time to time and such updated terms, once posted on ScyllaDB website, shall govern. We recommend that you periodically review the terms, to see if any changes were introduced as reflected in the “Last Updated” date hereinabove.

Acceptance

If you make a good-faith effort to comply with this program during your security research, we will consider your research to be accepted. We will work to understand and resolve the issue quickly.

Guidelines

Under this program, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence.
  • Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounters any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope

Some of our systems may be eligible for bounties. Those can be successfully shown to compromise the confidentiality, integrity, or availability of information relating to our clients and our secrets will be considered.
Please find below the current list of bounty-eligible systems (such list may change from time to time at our sole discretion).

ScyllaDB Products

Out of Scope

ScyllaDB web site domains and any related subdomains are out of scope.

The following activities are out of scope for the ScyllaDB Bug Bounty Program. Conducting any of the activities below will result in disqualification from the program permanently.

  • Targeting assets of ScyllaDB’s customers
  • Any vulnerability obtained through the compromise of ScyllaDB customer or employee accounts
  • Any Denial of Service (DoS) attack against ScyllaDB products or ScyllaDB customers
  • Social engineering of ScyllaDB employees, contractors, vendors, or service providers
  • Knowingly posting, transmitting, uploading, linking to, or sending malware
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam)

In case a vulnerability report will be submitted about an item that is included in the above list, ScyllaDB will not review and the report will be rejected.

Reporting a Suspected Vulnerability

We accept vulnerability reports via this Google form only.

Each report is cataloged, dated, and scrutinized for its scope and risk level.
To enable us to respond more efficiently to your report, kindly provide any relevant supporting materials (such as proof-of-concept code, tool output, etc.) that would aid us in comprehending the nature and severity of the vulnerability.

Reported vulnerabilities of a the same reported issue previously, will be rejected.

SLA for Evaluation By ScyllaDB

ScyllaDB is committed to being responsive and keeping you informed of our progress as we investigate and/or mitigate your reported security concerns. You will receive a non-automated response to your initial contact as quickly as possible, confirming receipt of your reported vulnerability and assigning you a tracking number. The amount of time required to validate a reported vulnerability can change per case, and it depends on the complexity and severity of the issue. We make every effort that all reports and answers will be provided no longer than 120 days.

The findings would be categorized according to the Risk Analysis by level

  • Critical: This is dangerous and immediate safety measures must be taken to avoid any loss of our most confidential data.
  • High: This risk isn’t acceptable either. It needs immediate checks and necessary measures should be taken to minimize the loss or the damage of data.
  • Medium: This is the period where we cannot overlook the damage that has already been caused. Proper planning and steps should be taken to control further loss or damage.
  • Low: Low risks are acceptable and can be rectified through proper security measures. In situations where the damage has already been taken the effect is really low.

Disclosure

ScyllaDB requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, respond to the notification, and notify key users, customers, and partners.

Confirmation of Non-Vulnerabilities: If the issue cannot be validated, or is not found to originate in an ScyllaDB product, this will be shared with you.