Responsible Disclosure Policy

Last Revised: July 30, 2021

We at Cockroach Labs consider the security of our systems and our product a top priority. However, no matter how much effort we put into security, we acknowledge vulnerabilities can still be present.

If you discover a vulnerability, please report the issue to us so we can take steps to resolve it as quickly as possible. Help us to better protect our users, our customers, and our own systems.

Please do:

  • E-mail your findings to You may encrypt your findings using our PGP key to prevent critical information from falling into the wrong hands.

  • Customers are responsible for the strength of the passwords they choose for signing into the managed services console.

Please do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, interrupting the delivery of our services or that of our customers, deleting or modifying other people’s data, or helping others to exploit vulnerabilities in our products.

Please do not report the problem to others until it has been resolved, or for a minimum of 30 days after you first reported the problem to us.

Please do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.

What we promise:

  • We evaluate all reports to determine applicability and severity.

  • If we determine that your reported vulnerability might reasonably impact Cockroach Labs' systems or software and has not been previously reported, we will respond within two business days to confirm or request additional information.

  • We will handle your report with strict confidentiality, and will not pass on your personal details to third parties without your permission.

  • We will keep you informed of the progress towards resolving the problem.

  • If and when we publicize the problem, we will identify you as the discoverer unless you specify otherwise.

  • We will allow you and/or third parties (for example CVE) to publish external accounts of the problem and its resolution after we have had the opportunity to analyze the vulnerability, respond to the notification, and notify our affected users and customers.


While we greatly appreciate community reports regarding security issues, at this time Cockroach Labs does not provide compensation or swag for vulnerability reports.

Past Disclosures

Disclosures of past security incidents for CockroachDB can be found in our GitHub issue tracker under the C-security-disclosure label.