From e15847c83ae9fe67f62f08a238323bd4ed396074 Mon Sep 17 00:00:00 2001 From: "David E. Wheeler" Date: Wed, 17 Dec 2025 13:48:02 -0500 Subject: [PATCH] Add security policy --- SECURITY.md | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d1205d2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,79 @@ +# pg_clickhouse Security Vulnerability Response Policy + +## Security Change Log and Support + +Details regarding security fixes are publicly reported in the [changelog]. + +## Reporting a Vulnerability + +We're extremely grateful for security researchers and users that report +vulnerabilities to the pg_clickhouse Open Source Community. All reports are +thoroughly investigated by developers. + +To report a potential vulnerability in pg_clickhouse please send the details +about it through our public bug bounty program hosted by and be rewarded for +it as per the program scope and rules of engagement. + +### When Should I Report a Vulnerability? + +* You think you discovered a potential security vulnerability in pg_clickhouse +* You are unsure how a vulnerability affects pg_clickhouse + +### When Should I NOT Report a Vulnerability? + +* You need help tuning pg_clickhouse components for security +* You need help applying security related updates +* Your issue is not security related + +## Security Vulnerability Response + +Each report is acknowledged and analyzed by pg_clickhouse maintainers within 5 +working days. As the security issue moves from triage, to identified fix, to +release planning we will keep the reporter updated. + +## Public Disclosure Timing + +A public disclosure date is negotiated by the pg_clickhouse maintainers and +the bug submitter. We prefer to fully disclose the bug as soon as possible +once a user mitigation is available. It is reasonable to delay disclosure when +the bug or the fix is not yet fully understood, the solution is not +well-tested, or for vendor coordination. The timeframe for disclosure is from +immediate (especially if it's already publicly known) to 90 days. For a +vulnerability with a straightforward mitigation, we expect the report date to +disclosure date to be on the order of 7 days. + +## Embargo Policy + +Open source users and support customers may subscribe to receive alerts during +the embargo period by visiting the [Trust Center], requesting access, and +subscribing for alerts. Subscribers agree not to make these notifications +public, issue communications, share this information with others, or issue +public patches before the disclosure date. Accidental disclosures must be +reported immediately to trust@clickhouse.com. Failure to follow this policy or +repeated leaks may result in removal from the subscriber list. + +### Participation criteria: + +1. Be a current open source user or support customer with a valid corporate + email domain (no @gmail.com, @azure.com, etc.). +2. Sign up to the pg_clickhouse [Trust Center] +3. Accept the pg_clickhouse Security Vulnerability Response Policy as + outlined above. +4. Subscribe to pg_clickhouse OSS Trust Center alerts. + +### Removal criteria: + +1. Members may be removed for failure to follow this policy or repeated leaks. +2. Members may be removed for bounced messages (mail delivery failure). +3. Members may unsubscribe at any time. + +### Notification process: + +pg_clickhouse will post notifications within the [Trust Center] and notify +subscribers. Subscribers must log in to the Trust Center to download the +notification. The notification will include the timeframe for public +disclosure. + + [changelog]: CHANGELOG.md + [Bugcrowd]: https://bugcrowd.com/clickhouse + [Trust Center]: https://trust.clickhouse.com/?product=pg_clickhouse