Percona Security

This page provides information about the correct and necessary actions to take when security concerns about Percona software arise. Some information applies to Percona customers, some to non-customers using Percona software, and some to both groups.

Reporting a Security Concern to Percona

• For Percona Customers: Please create a ticket using our customer portal
• For Non-Customers: You can email [email protected]

Reporting a Security Concern about Percona Open Source Software

• For Percona Customers: Please create a ticket using our customer portal
• For Non-Customers: Please create a ticket at https://jira.percona.com

If you have any concerns about the content being sensitive, please report the issue to [email protected].

Regarding CVEs that Affect Percona OSS

Percona open-source software merges upstream code releases. To allow Percona time to integrate enhancements and perform quality assurance testing, delays may occur after an upstream release to the equivalent Percona release.

Percona naming conventions follow upstream. For example, Percona Software version 1.2.3-55.0 breaks down into 1.2.3 being the upstream version the product is equivalent to, with -55.0 being the Percona-specific revisions and enhancements against the upstream version.

Responsible Disclosure

Percona operates a Responsible Disclosure program for legitimate reported issues that affect Percona or potentially affect Percona customers or Percona software users.

Scope

• Percona Open Source Software
• Percona web properties

Note: exclusions below.

Exclusions

We are no longer accepting reports that include the following:

• Public Content on jira.percona.com / perconadev.atlassian.net: jira.percona.com is our public open-source software bug tracking system. All content is intended to be public on this service. We will no longer accept reports noting public content as a misconfiguration or exposure
• DMARC, SPF: We are aware of DMARC and SPF and are working towards better implementations of both
• DNS CNAME Denoting Third-Party SaaS Services: These are not operated by Percona. While we welcome reports of concern, we cannot provide any reward for such reports. Please note the DNS CNAME for the responsible parties

Report Details

Percona requests that your report includes at a minimum the following details for consideration:

• The target, including a fully qualified domain name, if applicable
• The vulnerability being reported, including proof of concept exploitation if applicable
• Core dump/stack traces of the affected issue being exploited if applicable
• Configuration files/SQL/related scripts and/or details for the affected issue being reported
• Any system configuration detail that is relevant to the issue being reported
• Any intended timelines for disclosure

Note: For bounty consideration, you must be open to negotiating timelines where appropriate.

Grounds for Rejection

Percona’s Security Team will make every effort to work with security researchers, provided they comply with the terms above.

Reports received that do not detail the issue or make an attempt to do so may be rejected outright.

The Percona Security Team will make every effort to work with researchers to thoroughly understand the issue being reported, and agree on a timeframe for a fix where applicable.

Percona implements automated email filtering to limit the delivery of spam, malware, etc. Please ensure when emailing your report to include a valid email address to respond to, a subject line, and email body content to ensure delivery.

Prohibited Testing

The following testing activities are prohibited under the Responsible Disclosure and Bug Bounty program. Any testing that includes any of the following will result in action being taken to restrict such activity and/or refer to law enforcement agencies where appropriate:

• Any testing that may cause a service loss for any Percona web property or Percona-operated system (e.g., DoS, DDoS)
• Any testing that involves the solicitation, extortion, coercion, or exploitation of Percona staff in any way
• Any testing that involves fuzzing without prior authorization
• Any testing that would yield unauthorized junk, spam, phishing, or other unsolicited mail
• Any testing that would involve the upload or distribution of malicious payloads
• Any testing that originated from territories under U.S. Sanction
• Any actions prohibited by Percona’s Acceptable Use Policy (see Section 9 of the Terms of Use at https://www.percona.com/terms-use)
• Any testing of the web properties noted as excluded from scope

Should you have a legitimate test case that might include one of the above, please contact [email protected] detailing your proposed test, expected outcome, and proposed timelines.

Compensation / Bounty

Percona is grateful for any contributions made to the Responsible Disclosure program at Percona.

Percona at this time does not offer an official bounty program. In cases where a report is thought to warrant some reward, the Percona Security and Managerial teams, at their discretion, may provide rewards ranging from swag to monetary compensation where deemed appropriate.