Percona Security

Reporting a privacy concern to Percona

Please review our Privacy Policy here

Reporting a security concern to Percona

If you are a Percona customer,  please create a ticket within our customer portal. If you are not a current Percona customer you can email [email protected] and use our PGP/GPG key to encrypt the contents of the email: F77F601F5DA8C0E5.

Reporting a security concern about Percona Open Source Software

As above, if you are a Percona customer, please create a ticket within our customer portal. If you are a user of Percona software but not a current customer please create a ticket within https://jira.percona.com.

If you have any concerns on the content being sensitive, please instead report the issue to [email protected]  If desired, you may use our PGP/GPG key to encrypt the contents of the email F77F601F5DA8C0E5

Regarding CVEs which affect Percona OSS

Percona open Source Software merges upstream code releases. To allow Percona time to integrate enhancements and perform quality assurance testing, there may be some delay after an upstream release to the equivalent Percona release.

Percona naming conventions follow upstream, for example Percona Software version 1.2.3-55.0, breaks down into 1.2.3 being the upstream version the product is equivalent to, with -55.01 being the Percona specific revisions and enhancements against the upstream version.

Responsible disclosure

Percona operates a responsible disclosure program for legitimate reported issues that affect Percona or has the potential to affect Percona customers or Percona software users.

Scope

• Percona Open Source Software
• Percona web properties
  • Note exclusions below.

Exclusions

We are no longer accepting reports which include the following;

• https://jira.percona.com content is public
  jira.percona.com is our public open source software bug tracking system, all content is intended to be public on this service, we will no longer accept reports that note content being public is a misconfiguration or exposure.

• DMARC, SPF
  We are well aware of DMARC and SPF and are working towards better implementations of both.

• DNS CNAME’s which front third party SaaS services
  These are not operated by percona, whilst we welcome reports of concern, we are unable to provide any reward for such reports, please instead please note the DNS CNAME for the responsible parties

Report details

Percona request that your report includes at a minimum the following detail for consideration:

• The target, including fully qualified domain name if applicable.
• The vulnerability being reported, including proof of concept exploitation if applicable.
• Core dump / stack traces of the affected issue being exploited if applicable,
• Configuration files / SQL / related scripts and/or detail for the affected issue being reported.
• Any system configuration detail that is relevant to the issue being reported.
• Any intended timelines for disclosure
  Note; for bounty consideration you must be open to negotiation of timelines where appropriate.

Grounds for rejection

Percona’s Security Team will make every effort to work with Security researchers, provided they comply with the terms above.

Reports received which do not detail the issue or make an attempt to do so, may be rejected outright.

Percona’s Security Team will make every effort to work with researchers to completely understand the issue being reported, and agree on a timeframe for a fix where applicable to do so.

Percona implements automated email filtering to limit delivery of spam, malware, please ensure when emailing your report to include valid email address to respond to, subject and email body content, to ensure delivery.

Prohibited Testing

The following are prohibited testing under the Responsible disclosure and bug bounty program, any testing which includes any of the following will result in action being taken to restrict such activity and/or refer to law enforcement agencies where appropriate.

• Any testing which may cause a service loss for any Percona web property or Percona operated system (e.g. DoS, DDoS)
• Any testing which involves the solicitation,extortion,coercion or exploitation of Percona staff if any way.
• Any testing which involves Fuzzing without prior authorization.
• Any testing that would yield unauthorized junk, spam, phishing, or other unsolicited mail.
• Any testing that would involve the upload or distribution of malicious payloads.
• Any testing which originated from territories under US Sanction.
• Any Actions prohibited by Percona’s Acceptable Use Policy - see section 9 of the Terms of Use at https://www.percona.com/terms-use.
• Any testing of the web-properties noted as excluded from Scope

Should you have a legitimate test case which may include one of the above, please contact [email protected] detailing your proposed test, expected outcome, and proposed timelines.

Compensation / Bounty

Percona is grateful for any contributions made to the Responsible Disclosure program at Percona.

Percona at this time does not offer an official bounty program; where a report is thought to warrant some reward, this will be at the discretion of the Percona Security and Managerial teams, rewards will vary from swag to monetary rewards where deemed appropriate.