|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We release patches for security vulnerabilities. Which versions are eligible |
| 6 | +receiving such patches depend on the CVSS v3.0 Rating: |
| 7 | + |
| 8 | +| CVSS v3.0 | Supported Versions | |
| 9 | +| --------- | ----------------------------------------- | |
| 10 | +| 4.0-10.0 | Most recent release | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +Please report (suspected) security vulnerabilities to our **[bug bounty |
| 15 | +program](https://hackerone.com/aiven_ltd)**. You will receive a response from |
| 16 | +us within 2 working days. If the issue is confirmed, we will release a patch as |
| 17 | +soon as possible depending on impact and complexity. |
| 18 | + |
| 19 | +## Qualifying Vulnerabilities |
| 20 | + |
| 21 | +Any reproducible vulnerability that has a severe effect on the security or |
| 22 | +privacy of our users is likely to be in scope for the program. |
| 23 | + |
| 24 | +We generally **aren't** interested in the following issues: |
| 25 | +* Social engineering (e.g. phishing, vishing, smishing) attacks |
| 26 | +* Brute force, DoS, text injection |
| 27 | +* Missing best practices such as HTTP security headers (CSP, X-XSS, etc.), |
| 28 | + email (SPF/DKIM/DMARC records), SSL/TLS configuration. |
| 29 | +* Software version disclosure / Banner identification issues / Descriptive |
| 30 | + error messages or headers (e.g. stack traces, application or server errors). |
| 31 | +* Clickjacking on pages with no sensitive actions |
| 32 | +* Theoretical vulnerabilities where you can't demonstrate a significant |
| 33 | + security impact with a proof of concept. |
0 commit comments