Last Revised: July 30, 2021
We at Cockroach Labs consider the security of our systems and our product a top priority. However, no matter how much effort we put into security, we acknowledge vulnerabilities can still be present.
If you discover a vulnerability, please report the issue to us so we can take steps to resolve it as quickly as possible. Help us to better protect our users, our customers, and our own systems.
Please do:
Please do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, interrupting the delivery of our services or that of our customers, deleting or modifying other people’s data, or helping others to exploit vulnerabilities in our products.
Please do not report the problem to others until it has been resolved, or for a minimum of 30 days after you first reported the problem to us.
Please do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
While we greatly appreciate community reports regarding security issues, at this time Cockroach Labs does not provide compensation or swag for vulnerability reports.
Disclosures of past security incidents for CockroachDB can be found in our GitHub issue tracker under the C-security-disclosure label.