Vulnerability Disclosure Policy
Introduction: Promoting Security and Responsibility
Memgraph is dedicated to the continuous improvement of our open source graph analytics database, prioritizing the safety and security of our customers' data. We recognize that the strength of our software relies on a collective effort between our development team and the wider security community.
We believe that the transparency and collaboration inherent in open source software development provides a robust defense against many threats. To facilitate this, we have established this Vulnerability Disclosure Policy to create a clear framework for responsible disclosure and to encourage the public's assistance in identifying and addressing security vulnerabilities.
This policy outlines our approach to welcoming scrutiny, specifying the scope of in-scope assets, providing legal safe harbor, and protecting user privacy. By working together, we can enhance the security of our open source graph database while respecting the privacy of our users.
1. Openness to Responsible Scrutiny
At Memgraph, we take security seriously and we believe that with many eyes, all bugs are shallow. We believe that by working together, we can maintain a safer and more secure environment for all users.
2. Scope of Vulnerability Disclosure
We consider any system or component exposed to the internet as 'in-scope' for vulnerability disclosure. This includes, but is not limited to, our open source graph database software, associated tools, and any online services we provide.
3. Safe Harbor for DMCA and CFAA Purposes
Memgraph is committed to providing a safe harbor for individuals who discover and report vulnerabilities in our systems. We will not pursue legal action under the Digital Millennium Copyright Act (DMCA) or the Computer Fraud and Abuse Act (CFAA) against security researchers who adhere to responsible disclosure practices.
4. Protecting Consumer Privacy
While we encourage responsible disclosure, we also respect user privacy. When reporting a vulnerability, we request that you do not access or share any personal or confidential user data without explicit consent. Any actions that unnecessarily compromise user privacy will not be considered responsible.
How to Report Vulnerabilities
If you discover a potential security vulnerability (either directly or via a bug bounty program), please follow these guidelines:
- Contact us at firstname.lastname@example.org with a detailed description of the vulnerability.
- Provide clear and concise steps to reproduce the vulnerability, including any necessary proof-of-concept code or screenshots.
- We encourage you to encrypt your communications with our PGP key, which can be provided upon request.
Our CommitmentUpon receiving your report, our Information Security team will:
- Acknowledge the receipt of your report within 3 business days.
- Investigate and confirm the vulnerability's existence and severity.
- Work diligently to address the vulnerability and release necessary patches or updates. - Keep you informed of our progress and coordinate with you regarding public disclosure, if desired.
Memgraph appreciates the efforts of security researchers in making our open source graph database safer and more reliable. Together, we can enhance the safety and reliability of our product while protecting user privacy. Thank you for your commitment to responsible security practices.