Reporting security bugs
Reports about security vulnerabilities can be sent to firstname.lastname@example.org.
Security bugs can be also reported in the normal issue tracker, but marked as affecting security: mariadb.org/jira
The MariaDB Server developers classify all security bugs according to their threat level. The threat level can be one of:
- Red: an exploitable vulnerability that causes arbitrary code execution or allows an unauthenticated user to crash the server or get access to the data.
- Yellow: everything else.
We promise to fix any red security bug immediately, usually within hours, and release fixed (i.e. not vulnerable) MariaDB binaries as soon as possible, usually the next day.
We will fix yellow security bugs as soon as possible, but we will not change our planned release schedule to get the fix out earlier.
Generic guidelines on reporting bugs
The Reporting Bugs page on the KnowledgeBase has details on how to report a bug.