Contact: mailto:security@surrealdb.com Expires: 2025-01-01T00:00:00.000Z Last-Updated: 2024-02-20T00:00:00.000Z Preferred-Languages: en Canonical: https://surrealdb.com/.well-known/security.txt Policy: https://surrealdb.com/legal/security Hiring: https://surrealdb.com/careers We take the security of SurrealDB code, software, and infrastructure very seriously. If you believe you have found a security vulnerability in SurrealDB, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. You can report any vulnerabilities or security issues to "security@surrealdb.com". For open source components, please report issues via Github Security Advisories instead of opening a public issue in GitHub. Do: - Privately disclose the details of any potential vulnerability to SurrealDB. - Provide enough information to reproduce the vulnerability in your report. - Ask permission from SurrealDB to run automated security tools against its infrastructure. Do not: - Disclose the details of the vulnerability publicly or to third parties - Exploit a vulnerability beyond what is strictly necessary to verify its existence. - Run automated security tools against SurrealDB infrastructure without permission. Our responsibility: - Acknowledge your report within 3 business days of the date of communication. - Verify the issue and keep you informed of the progress toward its resolution. - Handle your report and any data you share with us with strict confidentiality. - Abstain from legal action against you for any report made following this policy. - Credit you in any relevant public security advisory, unless you desire otherwise. SurrealDB strives to provide timely and clear communication regarding any security issues that may impact users of its binaries, libraries and platforms using Github Security Advisories and other available communication channels. Generally, vulnerabilities will be discussed and resolved privately to minimize the risk of exploitation. Security advisories will generally be published once a release including a fix for the relevant vulnerability is available. The goal of publishing security advisories is to notify users of the risks involved with using a vulnerable version and to provide information for resolving the issue or implementing any possible workarounds. Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency as security tooling (e.g. cargo audit, or cargo deny check or Dependabot) will already be able to track it up the dependency tree.