For details on MariaDB’s end-to-end security strategy, visit our Trust Center.
Reporting a Security Concern
Current MariaDB customers may report a security concern by creating a support case in the Customer Support Portal.
For the MariaDB Foundation’s policy on reporting security concerns, please see MariaDB Foundation Reporting Procedures.
MariaDB asks that the report provides full details of the security concern so our security team can validate and reproduce the issue including the following information:
- The environment (operating system, hardware and MariaDB version, including plugins and storage engines).
- Code affected, along with your explanation of the faulty behavior.
- Configuration, SQL tables, queries, network actions required to reproduce the behavior.
- Core dumps, stack-traces, error logs, data dumps, failed test cases or network packets required to diagnose or reproduce the attack.
- Proof of Concept (PoC) code that successfully triggers/exploits the vulnerability in at least one given scenario.
Vulnerability reports need to be documented in a way that they can be reproduced, easily understood and classified. The more details you send, including screen-shots, code, video; helps to understand the flaw as quickly as possible.
Our Security Commitment
To all customer and security researchers who follow this MariaDB Vulnerability Reporting Policy, our security team commits to:
- Respond in a timely manner, acknowledging receipt of your report
- Provide an estimated time frame for addressing the vulnerability
- Notify the reporting individual when the vulnerability has been fixed
We take security issues seriously and will endeavor to respond swiftly to fix verifiable security issues.
While we appreciate the work done by independent security researchers, we do not offer compensation for reporting a security vulnerability.