Reporting security bugs
The MariaDB Server developers classify all security bugs according to their threat level. The threat level can be one of:
- Critical: an exploitable vulnerability that causes arbitrary code execution, authentication bypass, privilege escalation or allows an unauthenticated user to exfiltrate or permanently corrupt data, configuration or crash the server resulting in total loss of availability.
- Medium: everything else.
We strive to fix any Critical security bug immediately, usually within hours, and release fixed MariaDB binaries as soon as possible, usually the next day.
We will fix Medium security bugs as soon as possible, but we will not change our planned release schedule to get the fix out earlier.
Please review our Security Policy and Assets covered within that we have available on our HackerOne profile.
Generic guidelines on reporting bugs
The Reporting Bugs page on the KnowledgeBase has details on how to report a bug.