Addressing Security Vulnerabilities

At PingCAP, we attach great importance to product-related security issues. If you find a security vulnerability when you use or test our product, we encourage you to report the issue to the TiDB security team immediately.

Report a vulnerability

If you have discovered a vulnerability in a TiDB product or have encountered a security incident involving a TiDB product vulnerability, please report it to the TiDB security team at security@pingcap.com.

Please provide as much information about the vulnerability as possible in the following format (* indicates a required item):

• Vulnerability title*:
• Overview*:
• Affected component and version number*:
• CVE number (if available):
• Vulnerability validation process*:
• Contact information*:

The TiDB security team will confirm the vulnerability and contact you within two business days after your submission.

Warning: Please do not use the vulnerability to download or obtain data beyond the proof of exploit, to delete, or modify user data. These are regarded as malicious attacks.

Out of scope

The following situations do not qualify as security vulnerabilities:

• Physical attacks
• Social engineering attacks or proximity attacks
• Missing HTTP security headers or enabling specific HTTP methods
• Email Sender Policy Framework (SPF) issues
• Brute force attacks on any API interface
• Website page clickjacking
• HTML content injection
• Disclosure of the robots.txt file
• Email spoofing
• Error messages about the page
• Golang or JavaScript function error
• No rate limit for the API interface
• Leak of nonsensitive files
• Disruption of service caused by a Distributed Denial of Service (DDoS) attack or HTTP flood attacks
• Leak of server version information
• Weak password policy or database hash salting issues
• A Secure Socket Layer (SSL) version or Transport Layer Security (TLS) version that is too low
• Dependent third-party components are vulnerable but cannot be verified

Confidentiality policy

After fixing a security vulnerability, we will publicly thank the person who reported it. However, to avoid negative consequences and in accordance with legal requirements, please keep the vulnerability information confidential until the vulnerability is fixed. We would also appreciate it if you could observe the following code of conduct:

• Do not disclose the vulnerability to the public or to third parties until PingCAP releases a patch. Depending on the type of the vulnerability, the time and process to fix it will vary. Therefore, all the parties involved must negotiate the proper time to disclose the vulnerability based on their research and judgment.
• To avoid improper use of the vulnerability, do not disclose detailed information about the vulnerability, such as the vulnerability exploitation code.
• Comply with intellectual property protection laws, regulations, and trade secret agreements.

Disclosure of fixed vulnerabilities