We are pleased to announce the launch of our public bug bounty program on the HackerOne platform:
The aim for this program is two fold:
- Review the vulnerability submission channels, guidelines and policy for responsible disclosure, as well as asset identification and vulnerability handling process on our side.
- Encourage researchers to look for vulnerabilities in MariaDB code and have a way to incentivize reporting in accordance with the responsible disclosure model.
Goal no.1 resulted in changes to our general vulnerability classification process described at mariadb.org/about/security-policy/. We now have two kinds of vulnerabilities, Critical and Medium severity, as well as a policy that should act as a guideline to the reporter as well as our team to ensure proper vulnerability management. This policy is fully public and is entirely contained in the HackerOne profile page.
Goal no.2 resulted in our public bug bounty program on HackerOne. We hope this will expose use to a wide community of security researchers and help us identify and properly handle issues that can impact the security of MariaDB users at large. Currently we only offer HackerOne Thank You badges and points, but we are working towards being able to award MariaDB swag (t-shirts, stickers) in the near future, and possibly, even cash bounties, although, given our non-profit nature, these will be more honorific in nature rather than financially motivating.
We are mainly interested in finding out about vulnerabilities in MariaDB source code, however, we have also listed our web assets, such as this website, our Jira and Continuous Integration deployments, etc. as targets for the program, since we believe that trusting our open development model, the community and the foundation behind the MariaDB effort is also of crucial importance. We do ask of you to take a moment to read our Policy carefully and consider your submissions with thought, taking into account that MariaDB is Open Source Software and the foundation is a non-profit, and as such, is governed and developed entirely in the open. For example, having a public issue tracker is intentional and should not be considered a vulnerability (yes, we received reports like that, classifying Jira as information disclosure). In your security assessment, please, act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of services (including denial of service) for us and our users at large. For MariaDB bug hunting, fuzzing and testing, use your own personal deployments.
We also realize that not everyone wants or has time to read policies, abide by any agreement or register on a third party website to report a security vulnerability to us, so in that case you are still free to drop your report at firstname.lastname@example.org. However, we still encourage you to practice good vulnerability reporting common-sense, such as describing the bug in detail, including a proof-of-concept and being patient for the entire life-time cycle of a security issue from the initial validation and risk assessment, up to resolution and public disclosure.
Happy bug hunting!