We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
The fastest way to report a vulnerability is through GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form with details about the vulnerability
This creates a private discussion where we can collaborate on a fix before public disclosure.
If you prefer email or cannot use GitHub's reporting:
- Email: security@inferadb.com
- Subject:
[SECURITY] <brief description>
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
| Timeline | Action |
|---|---|
| 48 hours | Acknowledgment of your report |
| 7 days | Initial assessment and severity determination |
| 90 days | Target resolution for most issues |
We follow coordinated vulnerability disclosure. We'll work with you to understand the issue, develop a fix, and coordinate public disclosure.
Security issues we're interested in include:
- Test fixtures that could expose security vulnerabilities
- Insecure test patterns that might be copied
- Credential exposure in test configurations
- Vulnerabilities in test dependencies
- Issues that only affect test environments
Security fixes are released as patch versions and announced via:
- GitHub Security Advisories
- Release notes
We appreciate security researchers who help keep InferaDB secure. With your permission, we'll acknowledge your contribution in the security advisory.