-
Notifications
You must be signed in to change notification settings - Fork 5.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8b4aa3f
commit 913120c
Showing
1 changed file
with
33 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Security Vulnerability Disclosure and Response Process | ||
|
||
TiDB is a fast-growing open source database. To ensure its security, a security vulnerability disclosure and response process is adopted. | ||
|
||
The primary goal of this process is to reduce the total exposure time of users to publicly known vulnerabilities. To quickly fix vulnerabilities of TiDB products, the security team is responsible for the entire vulnerability management process, including internal communication and external disclosure. | ||
|
||
If you find a vulnerability or encounter a security incident involving vulnerabilities of TiDB products, please report it as soon as possible to the TiDB security team ([email protected]). | ||
|
||
Please kindly help provide as much vulnerability information as possible in the following format: | ||
|
||
- Issue title*: | ||
|
||
- Overview*: | ||
|
||
- Affected components and version number*: | ||
|
||
- CVE number (if any): | ||
|
||
- Vulnerability verification process*: | ||
|
||
- Contact information*: | ||
|
||
The asterisk (*) indicates the required field. | ||
|
||
# Response Time | ||
|
||
The TiDB security team will confirm the vulnerabilities and contact you within 2 working days after your submission. | ||
|
||
We will publicly thank you after fixing the security vulnerability. To avoid negative impact, please keep the vulnerability confidential until we fix it. We would appreciate it if you could obey the following code of conduct: | ||
|
||
The vulnerability will not be disclosed until TiDB releases a patch for it. | ||
|
||
The details of the vulnerability, for example, exploits code, will not be disclosed. |