Please report any vulnerabilities privately by emailing our security team at security@percona.com. Do not create public Jira issues for security vulnerabilities or disclose details in publicly accessible trackers.

Once a vulnerability has been reported, it should be reviewed, recorded, assigned, and fixed or addressed as appropriate. Based initially on an internal severity assessment (for example, using CVSS or our internal severity ratings; if a CVE is later assigned, its criticality may inform or adjust this assessment and may be reduced internally with certain compensating controls that mitigate the severity level), the following guidelines apply to ensure that issues are resolved or addressed in some concrete manner:

1. Critical – immediately, but no later than 14 days;
2. High – as soon as possible, no later than 30 days;
3. Medium – within 60 days; and
4. Low – make best efforts to patch low-rated vulnerabilities within 90 days.

Should you have a legitimate test case that might include one of the above, please contact security@percona.com detailing your proposed test, expected outcome, and proposed timelines.

For details, see Percona Security.