Vulnerability Reporting

For details on MariaDB’s end-to-end security strategy, visit our Trust Center.

Reporting a Security Concern

Customers
Current MariaDB customers may report a security concern by creating a support case in the Customer Support Portal.

Non-Customers
Non-customers may report a security concern by emailing security@mariadb.com for general concerns or security-skysql@mariadb.com for SkySQL-specific concerns.

MariaDB Foundation
For the MariaDB Foundation’s policy on reporting security concerns, please see MariaDB Foundation Reporting Procedures.

Reporting Details

MariaDB asks that the report provides full details of the security concern so our security team can validate and reproduce the issue including the following information:

  • The environment (operating system, hardware and MariaDB version, including plugins and storage engines).
  • Code affected, along with your explanation of the faulty behavior.
  • Configuration, SQL tables, queries, network actions required to reproduce the behavior.
  • Core dumps, stack-traces, error logs, data dumps, failed test cases or network packets required to diagnose or reproduce the attack.
  • Proof of Concept (PoC) code that successfully triggers/exploits the vulnerability in at least one given scenario.

Vulnerability reports need to be documented in a way that they can be reproduced, easily understood and classified. The more details you send, including screen-shots, code, video; helps to understand the flaw as quickly as possible.

Our Security Commitment

To all customer and security researchers who follow this MariaDB Vulnerability Reporting Policy, our security team commits to:

  • Respond in a timely manner, acknowledging receipt of your report
  • Provide an estimated time frame for addressing the vulnerability
  • Notify the reporting individual when the vulnerability has been fixed

We take security issues seriously and will endeavor to respond swiftly to fix verifiable security issues.

Compensation

While we appreciate the work done by independent security researchers, we do not offer compensation for reporting a security vulnerability.