发布于 2015-09-14 14:56:21 | 177 次阅读 | 评论: 0 | 来源: 网络整理
10gen values the privacy and security of all users of MongoDB, and we work very hard to ensure that MongoDB and related tools minimize risk exposure and increase the security and integrity of data and environments using MongoDB.
If you believe you have discovered a vulnerability in MongoDB or a related product or have experienced a security incident related to MongoDB, please report these issues so that 10gen can respond appropriately and work to prevent additional issues in the future. All vulnerability reports should contain as much information as possible so that we can move quickly to resolve the issue. In particular, please include the following:
10gen will respond to all vulnerability notifications within 48 hours.
10gen prefers jira.mongodb.org for all communication regarding MongoDB and related products.
Submit a ticket in the Core Server Security” project, at: <https://jira.mongodb.org/browse/SECURITY/>. The ticket number will become reference identification for the issue for the lifetime of the issue, and you can use this identifier for tracking purposes.
10gen will respond to any vulnerability notification received in a Jira case posted to the SECURITY project.
While Jira is the preferred communication vector, you may also report vulnerabilities via email to <security@10gen.com>.
You may encrypt email using our public key, to ensure the privacy of a any sensitive information in your vulnerability report.
10gen will respond to any vulnerability notification received via email with email which will contain a reference number (i.e. a ticket from the SECURITY project,) Jira case posted to the SECURITY project.
10gen will validate all submitted vulnerabilities. 10gen will use Jira to track all communications regarding the vulnerability, which may include requests for clarification and for additional information. If needed 10gen representatives can set up a conference call to exchange information regaining the vulnerability.
10gen requests that you do not publicly disclose any information regarding the vulnerability or exploit until 10gen has had the opportunity to analyze the vulnerability, respond to the notification, and to notify key users, customers, and partners if needed.
The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. 10gen takes all required vulnerabilities very seriously, and will always ensure that there is a clear and open channel of communication with the reporter of the vulnerability.
After validating the issue, 10gen will coordinate public disclosure of the issue with the reporter in a mutually agreed timeframe and format. If required or requested, the reporter of a vulnerability will receive credit in the published security bulletin.