TigerData logo

Back

Vulnerability Disclosure Policy

Last updated: December 17, 2025

We aim to keep Tiger Data safe for everyone. We appreciate the efforts of security researchers who help keep our systems secure. Publicly disclosing security bugs in a public forum can put everyone in the Tiger Data community at risk, however. Therefore, we ask that people follow the below instructions to report security vulnerabilities. The entire Tiger Data community thanks you!

Authorization and Legal Safe Harbor: We authorize security research and vulnerability disclosure activities conducted in accordance with this policy. At all times, you are expected to act in good faith and comply with this policy. We will not pursue legal action against individuals who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Only access data that is necessary to demonstrate the existence of a vulnerability
  • Promptly report vulnerabilities through the channels described below
  • Do not publicly disclose vulnerabilities prior to remediation or without our written consent

We consider activities conducted in accordance with this policy to be authorized conduct and will not pursue civil action or initiate a complaint to law enforcement. We may modify this policy at any time, and any modifications will not apply retroactively.

To be clear, this does not authorize any of the following actions that:

  • Intentionally disrupt services or degrade system availability (e.g., denial-of-service attacks)
  • Involve social engineering, phishing, or interactions with employees, customers, or vendors
  • Require physical access to facilities or devices
  • Access, modify, delete, or exfiltrate data belonging to other users
  • Use automated scanning in a manner that materially impacts system performance
  • Include extortion, ransom demands, or threats tied to vulnerability disclosure

Reporting a Vulnerability

Note: Tiger Data does not currently run a bug bounty program. While we greatly appreciate security researchers who help keep our systems secure, we do not offer monetary rewards for vulnerability reports. We do, however, recognize and appreciate responsible disclosure efforts.

If you find a vulnerability in our software, please email the Tiger Data Security Team at security@tigerdata.com.

For additional contact information and encryption details, please refer to our security.txt file and our security-key.txt file for PGP encryption key information.

Please note that the e-mail address should only be used for reporting undisclosed security vulnerabilities in Tiger Data products and services. Regular bug reports should be submitted as GitHub issues, while other questions around security, compliance, or functionality can be made either through our support (for customers) or community channels.

Submission Requirements
  • Reports must be submitted in English
  • Reports must include sufficient information to reproduce the issue, including steps to reproduce, affected versions, and potential impact
  • Submissions must demonstrate a clear security impact
  • Only vulnerabilities in the latest released versions of our products (if applicable) will be considered
  • Please check for known issues before submitting. Reports of vulnerabilities that are already known to us or publicly disclosed will not be reviewed
Testing Guidelines
  • Testing should not disrupt any Tiger Data services or access data beyond your own test accounts
  • Do not perform any testing that could impact the availability or integrity of our systems or customer data
  • Only test against systems you own or have explicit permission to test

Response and Disclosure Timeline

We take the security of our systems and customer data very seriously, and are committed to addressing security vulnerabilities in a timely manner. We strive to acknowledge receipt of all reports received, and will keep you informed of our progress, evaluation and response to any reports as we deem necessary.

Recognition

While we do not offer monetary rewards, we recognize and appreciate the valuable contributions of security researchers. With your permission, we may acknowledge your responsible disclosure efforts through:

  • Public acknowledgment in security advisories (if you choose to be credited)
  • Inclusion in a security researchers hall of fame or recognition page (if you choose to be credited)
  • Direct acknowledgment from our security team

We respect your privacy and will only acknowledge your contribution with your explicit permission. You may choose to remain anonymous if you prefer.

Out of Scope

The following items are considered out of scope for our vulnerability disclosure program. Reports focusing on these areas will not be reviewed.

Network Layer
  • SSL/TLS best practices
  • DoS/DDoS or any other testing that would impact the operation of our systems
  • Lack of rate limit on non-sensitive endpoints and/or brute force attacks
  • Open ports that do not lead directly to a vulnerability
Application Server Layer
  • Missing HTTP security headers
  • Descriptive error messages (e.g. stacktraces, application or server errors)
  • Missing cookie flags on non-sensitive cookies
  • Logout Cross-Site Request Forgery (logout CSRF)
  • OPTIONS/TRACE HTTP method enabled
  • Lack of the X-FRAME-OPTIONS header
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Presence/absence of SPF/DMARC records
  • Internal IP disclosure
Application Layer
  • Clickjacking/UI redressing with no practical security impact
  • Presence of application or web browser 'autocomplete' or 'save password' functionality
  • Login or Forgot Password page brute force and account lockout not enforced
  • Self XSS
  • Functional, UI, and UX bugs and spelling mistakes
Rejected Immediately
  • Vulnerabilities that require extensive social engineering
  • Testing third-party applications or services
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms