We are pleased to announce the launch of our public bug bounty program on the HackerOne platform:
The aim for this program is two fold:
- Review the vulnerability submission channels, guidelines and policy for responsible disclosure, as well as asset identification and vulnerability handling process on our side.
- Encourage researchers to look for vulnerabilities in MariaDB code and have a way to incentivize reporting in accordance with the responsible disclosure model.
Goal no.1 resulted in changes to our general vulnerability classification process described at mariadb.org/about/security-policy/. We now have two kinds of vulnerabilities, Critical and Medium severity, as well as a policy that should act as a guideline to the reporter as well as our team to ensure proper vulnerability management. Read more