Vulnerability Process

This page describes the process of vulnerability for IvorySQL.

Vulnerability Response​

The IvorySQL community places a high priority on the security of its community edition. The IvorySQL Security Special Interest Group (SIG Security) is responsible for receiving, investigating, and disclosing security vulnerabilities related to the IvorySQL community. We encourage vulnerability researchers and industry organizations to proactively report suspected security vulnerabilities in IvorySQL to the SIG Security team. We aim to respond promptly, analyze, and resolve reported security issues or vulnerabilities.

As IvorySQL is based on PostgreSQL, vulnerabilities discovered and fixed in PostgreSQL also apply to IvorySQL. Our development team continuously monitors PostgreSQL community security information and promptly integrates PostgreSQL vulnerability patches into IvorySQL.

Supported Versions​

The vulnerability response process primarily supports the latest release of the IvorySQL community edition and its branch versions.

Vulnerability Handling Process​

Each security vulnerability is assigned a designated person for tracking and handling. This coordinator, a member of the IvorySQL SIG Security team, is responsible for overseeing the vulnerability's remediation and disclosure. The end-to-end vulnerability handling process is outlined in the diagram below.

In this document, we focus on three key aspects of the process: vulnerability reporting, vulnerability assessment, and vulnerability disclosure.

Vulnerability Reporting​

You can report potential security vulnerabilities in IvorySQL products by emailing the IvorySQL SIG Security team at security@ivorysql.org.

Required Information for Reporting​

To facilitate rapid confirmation and verification of suspected vulnerabilities, please include, but not limited to, the following information in your vulnerability report email:

• Basic Information: Details such as the affected module, conditions triggering the vulnerability, and the impact on the system if successfully exploited.
• Technical Details: Information including system configuration, identification methods, description of the exploit, proof of concept (PoC), steps to reproduce the issue, etc.
• Suggested Remediation: Recommendations for fixing the vulnerability.
• Reporter’s Details: Organization and contact information of the reporter.
• Disclosure Plan: Any planned disclosure timeline or intentions by the reporter.

Email Response Time​

We will respond to suspected security vulnerabilities reported via email within 5 days and provide feedback on the progress of vulnerability handling to the reporter.

Vulnerability Severity Assessment​

We will assess the severity of vulnerabilities using the Common Vulnerability Scoring System (CVSS) standard and classify them into the following severity levels:

Critical, High, Medium, Low, and None

Vulnerability Disclosure​

To protect IvorySQL users, the IvorySQL community strictly limits the scope of vulnerability information during investigation, remediation, and prior to releasing a security advisory. Information is shared only with personnel directly involved in handling the vulnerability. We do not publicly disclose, discuss, or confirm security issues in IvorySQL products and request that vulnerability reporters maintain confidentiality until public disclosure. Once the vulnerability is fixed, the IvorySQL community will publish an announcement through the securityannounce@ivorysql.org mailing list.