Percona Security

Reporting a security concern to Percona

If you are a Percona customer,  please create a ticket within our customer portal. If you are not a current Percona customer, you can email [email protected] and use our PGP/GPG key to encrypt the contents of the email: F77F601F5DA8C0E5.

Reporting a security concern about Percona Open Source Software

As above, if you are a Percona customer, please create a ticket within our customer portal. If you are a user of Percona software but not a current customer, please create a ticket within https://jira.percona.com.

If you have any concerns about the content being sensitive, please instead report the issue to [email protected]. If desired, you may use our PGP/GPG key to encrypt the contents of the email F77F601F5DA8C0E5

Regarding CVEs that affect Percona OSS

Percona open source software merges upstream code releases. To allow Percona time to integrate enhancements and perform quality assurance testing, there may be some delay after an upstream release to the equivalent Percona release.

Percona naming conventions follow upstream; for example, Percona Software version 1.2.3-55.0 breaks down into 1.2.3 being the upstream version the product is equivalent to, with -55.01 being the Percona specific revisions and enhancements against the upstream version.

Responsible Disclosure

Percona operates a Responsible Disclosure program for legitimate reported issues that affect Percona or has the potential to affect Percona customers or Percona software users.

Scope

• Percona Open Source Software
• Percona web properties
  • Note exclusions below.

Exclusions

We are no longer accepting reports that include the following;

• https://jira.percona.com content is public
  jira.percona.com is our public open source software bug tracking system. All content is intended to be public on this service. We will no longer accept reports that note content being public is a misconfiguration or exposure.
• DMARC, SPF
  We are well aware of DMARC and SPF and are working toward better implementations of both.
• DNS CNAME denotes third party SaaS services
  These are not operated by Percona. While we welcome reports of concern, we are unable to provide any reward for such reports. Please instead note the DNS CNAME for the responsible parties.

Report details

Percona requests that your report includes at a minimum the following detail for consideration:

• The target, including fully qualified domain name if applicable
• The vulnerability being reported, including proof of concept exploitation if applicable
• Core dump / stack traces of the affected issue being exploited if applicable
• Configuration files / SQL / related scripts and/or detail for the affected issue being reported
• Any system configuration detail that is relevant to the issue being reported
• Any intended timelines for disclosure

Note: For bounty consideration, you must be open to negotiation of timelines where appropriate.

Grounds for rejection

Percona’s Security Team will make every effort to work with Security researchers, provided they comply with the terms above.

Reports received that do not detail the issue or make an attempt to do so may be rejected outright.

The Percona Security Team will make every effort to work with researchers to completely understand the issue being reported, and agree on a timeframe for a fix where applicable to do so.

Percona implements automated email filtering to limit delivery of spam, malware, etc. Please ensure when emailing your report to include a valid email address to respond to, a subject line, and email body content, to ensure delivery.

Prohibited Testing

The following testing activities are prohibited under the Responsible Disclosure and bug bounty program. Any testing that includes any of the following will result in action being taken to restrict such activity and/or refer to law enforcement agencies where appropriate.

• Any testing that may cause a service loss for any Percona web property or Percona operated system (e.g. DoS, DDoS).
• Any testing that involves the solicitation, extortion, coercion, or exploitation of Percona staff if any way.
• Any testing that involves Fuzzing without prior authorization.
• Any testing that would yield unauthorized junk, spam, phishing, or other unsolicited mail.
• Any testing that would involve the upload or distribution of malicious payloads.
• Any testing that originated from territories under U.S. Sanction.
• Any actions prohibited by Percona’s Acceptable Use Policy — see Section 9 of the Terms of Use at https://www.percona.com/terms-use.
• Any testing of the web-properties noted as excluded from Scope.

Should you have a legitimate test case that might include one of the above, please contact [email protected] detailing your proposed test, expected outcome, and proposed timelines.

Compensation / Bounty

Percona is grateful for any contributions made to the Responsible Disclosure program at Percona.

Percona at this time does not offer an official bounty program in which a report is thought to warrant some reward; however, at the discretion of the Percona Security and Managerial teams, rewards will vary from swag to monetary rewards where deemed appropriate.