We prioritize the security of this project and value the role the security research community plays in helping us keep it secure. To ensure efficient handling of security issues, please submit all reports to:

security@firebolt.io

Please DO NOT open public GitHub issues for security vulnerabilities. Reports made through public channels will be closed to protect users, and you will be directed to this policy.

This security policy applies exclusively to vulnerabilities within this project as distributed in this specific repository.

We are specifically interested in critical vulnerabilities such as:

• Remote Code Execution (RCE)
• Bypassing access controls, authentication, or authorization mechanisms
• Software crashes resulting from memory corruption (e.g., buffer overflows, use-after-free)

We WILL NOT ACCEPT reports concerning:

• External projects, downstream dependencies, or third-party services.
• Vulnerabilities in systems, infrastructure, or websites not directly controlled by this repository.
• Social engineering, phishing, or physical security vulnerabilities.
• Denial-of-Service (DoS) vulnerabilities that cannot be demonstrated to significantly impact production systems.
• Reports based solely on theoretical risks without a working Proof of Concept (PoC).
• Reports generated by automated scanners (e.g., Nikto, Acunetix) without manual verification and a demonstrated exploit.
• Vulnerabilities relying on explicitly unsupported or End-of-Life (EOL) configurations/versions.

To help us effectively triage and resolve the issue, your report must include:

1. Description: A clear and concise description of the vulnerability.
2. Proof of Concept (PoC): Exact, reproducible steps demonstrating the exploitability. Include specific inputs, observed behavior, and expected behavior.
3. Impact: A clear explanation of the potential security impact (e.g., data loss, unauthorized access, code execution) and affected systems.
4. Supporting Data: Crash logs, stack traces, or screenshots that help identify the bug's origin.
5. Environment: The specific version(s) or commit hash(es) of the code affected.
6. Remediation (Optional but appreciated): Suggestions on how to fix or mitigate the vulnerability.
7. Coordinated Disclosure: Confirmation that the vulnerability has not been publicly disclosed and will remain confidential until a fix is released.

1. Acknowledgement: We will acknowledge receipt of your report within 5 business days.
2. Triage: We will assess the report's validity and severity.
3. Communication: We will communicate our findings. This may include requesting further information, confirming the bug, or explaining if it is out of scope.
4. Resolution: We will work to patch the vulnerability and provide a timeline for remediation.
5. Disclosure & Credit: Once a fix is released, we may publicly disclose the vulnerability after a fix has been released. If we do, we will credit you for the finding, if you wish.

By submitting a vulnerability report (including any code, patches, proof-of-concept code, or other materials), you acknowledge that your submission is provided under the same license terms that govern this project.

We reserve the right to reject any report that does not comply with this policy.

Personal data submitted as part of a vulnerability report will be processed solely for the purpose of communicating with you and addressing the vulnerability.

We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorized conduct. We will not initiate legal action or law enforcement investigation against you for activities reasonably necessary to identify and report vulnerabilities in this project, provided you act in good faith and adhere to these guidelines.