--- title: "Vulnerability Reporting" publish_date: 2020-09-28 updated_date: 2025-04-11 --- # Vulnerability Reporting *For details on MariaDB’s end-to-end security strategy, visit our [Trust Center](https://staging-mdb.com/trust/).* ### Reporting a Security Concern **Customers** Current MariaDB customers may report a security concern by creating a support case in the [Customer Support Portal](https://support.mariadb.com/). **Non-Customers** Non-customers may report a security concern by emailing . **MariaDB Foundation** For the MariaDB Foundation’s policy on reporting security concerns, please see [MariaDB Foundation Reporting Procedures](https://hackerone.com/mariadb?type=team). ### Reporting Details MariaDB asks that the report provides full details of the security concern so our security team can validate and reproduce the issue including the following information: - The environment (operating system, hardware and MariaDB version, including plugins and storage engines). - Code affected, along with your explanation of the faulty behavior. - Configuration, SQL tables, queries, network actions required to reproduce the behavior. - Core dumps, stack-traces, error logs, data dumps, failed test cases or network packets required to diagnose or reproduce the attack. - Proof of Concept (PoC) code that successfully triggers/exploits the vulnerability in at least one given scenario. Vulnerability reports need to be documented in a way that they can be reproduced, easily understood and classified. The more details you send, including screen-shots, code, video; helps to understand the flaw as quickly as possible. ### Our Security Commitment To all customer and security researchers who follow this MariaDB Vulnerability Reporting Policy, our security team commits to: - Respond in a timely manner, acknowledging receipt of your report - Provide an estimated time frame for addressing the vulnerability - Notify the reporting individual when the vulnerability has been fixed We take security issues seriously and will endeavor to respond swiftly to fix verifiable security issues. ### Compensation While we appreciate the work done by independent security researchers, we do not offer compensation for reporting a security vulnerability.