A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@percona.com

Privacy Policy: Privacy Policy 

Hiring: security@percona.com



At Percona, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.



Scope



-Percona Open Source Software



-Percona web properties



-Note exclusions below.



Exclusions



We are no longer accepting reports that include the following;



-https://jira.percona.com content is public

jira.percona.com is our public open-source software bug-tracking system. All content is intended to be public on this service. We will no longer accept reports that note content being public is a misconfiguration or exposure.



-DNS CNAME denotes third-party SaaS services

These are not operated by Percona. While we welcome reports of concern, we cannot provide any reward for such reports.

Please instead note the DNS CNAME for the responsible parties.



-Clickjacking on pages with no sensitive actions.



-Any activity that could lead to the disruption of our service (DoS).



-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.



-Email spoofing



-Missing DNSSEC



Please do the following:



-Email your findings to security@percona.com



-Please refrain from exploiting the identified vulnerability or issue. This includes actions such as downloading excessive data beyond what is necessary to demonstrate the vulnerability or unauthorized deletion or modification of others' data. Your cooperation in responsibly disclosing and addressing security concerns is greatly appreciated.



-Please refrain from disclosing the issue to others until it has been resolved.



-Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.



-Provide sufficient information to reproduce the problem, so we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system, along with a vulnerability description, should suffice. However, more complex vulnerabilities may necessitate additional clarification.



What we commit to:



We will respond to your report within a reasonable period, providing our evaluation of the report.

If you have followed the instructions above, no legal action will be taken against you concerning the report.

Your report will be handled with strict confidentiality, and your details will not be disclosed to third parties without your permission.

You will be kept informed of the progress towards resolving the problem.

In public information concerning the reported problem, we will credit you as the discoverer (unless you prefer otherwise).

We strive to resolve all problems expeditiously and aim to actively contribute to the eventual publication of the problem after its resolution.