Cockroach Labs

Responsible Disclosure Policy

Last Revised: December 20, 2019

We at Cockroach Labs consider the security of our systems and our product a top priority. However, no matter how much effort we put into security, we acknowledge vulnerabilities can still be present.

If you discover a vulnerability, please report the issue to us so we can take steps to resolve it as quickly as possible. Help us to better protect our users, our customers, and our own systems.

Please do:

  • E-mail your findings to security@cockroachlabs.com. You may encrypt your findings using our PGP key to prevent critical information from falling into the wrong hands.
  • Customers are responsible for the strength of the passwords they choose for signing into the managed services console.

Please do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, interrupting the delivery of our services or that of our customers, deleting or modifying other people’s data, or helping others to exploit vulnerabilities in our products.

Please do not report the problem to others until it has been resolved, or for a minimum of 30 days after you first reported the problem to us.

Please do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.

What we promise:

  • We will respond to your report within two business days with our evaluation of the vulnerability.
  • We will handle your report with strict confidentiality, and will not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress towards resolving the problem.
  • If and when we publicize the problem, we will identify you as the discoverer unless you specify otherwise.
  • We will allow you and/or third parties (for example CVE) to publish external accounts of the problem and its resolution after we have had the opportunity to analyze the vulnerability, respond to the notification, notify our affected users and customers.

While we greatly appreciate community reports regarding security issues, at this time Cockroach Labs does not provide compensation for vulnerability reports.

Past Disclosures

Disclosures of past security incidents can be found in our issue tracker under the security-disclosure label.