Policy

We believe that active collaboration with the security research community is a vital part of securing the software and infrastructure that powers our global community of Redis Geeks. We strive for excellence in our security posture, and your research plays a vital role in helping us spot unanticipated attack vectors or potential blind spots. We encourage your participation and will partner with you to review your findings, credit your work, and share our gratitude.

Our priorities include:

• Remote code execution

• Cloud tenant security and integrity

• Access controls

Program Rules

• You pledge not to discuss potential vulnerabilities either publicly or privately prior to your findings being resolved without express written consent from Redis.

• Please follow HackerOne's disclosure guidelines.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged. If you believe you know what mitigating measures or remediations could resolve the issue, please include those too.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Flooding or denial of service attacks are prohibited.

• Avoid privacy violations, modification or destruction of data, and interruption or degradation of our services.

• Only interact with accounts you own or with explicit permission of the account holder.

Out of Scope

The following issues at a minimum are considered out of scope:

• Vulnerabilities in the open source Redis.io codebase - Potentially serious issues can be reported to the Redis open source core team via an email to redis@redis.io

• Vulnerabilities in Redis clients (e.g. Jedis, Lettuce, etc.)

• Techniques involving MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept

• Missing best practices in SSL/TLS configuration

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

• Open redirect - unless an additional security impact can be demonstrated

Disqualifiers

• Any modification or destruction of user data

• Taking any steps that intentionally violate the privacy of our users

• Denial of service, either against company infrastructure or user accounts

• Social engineering of any kind against our users or employees

• Any type of brute-forcing or automated attack techniques

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Policy Updates

We will update this policy from time to time. If we make any changes to this policy, we will post a notice of these changes to this page.

Thank you for helping secure Redis and our community of technologists, enthusiasts, and innovators