Responsible Disclosure Policy

Effective Date: July 18th, 2023

Keeping customer data secure is of utmost concern at Rockset, and we welcome the help of security researchers in finding and disclosing to us any vulnerabilities in our service.

The responsible disclosure policy is intended for security researchers with the goal of promoting discovery and responsible reporting of security vulnerabilities with the Rockset service and infrastructure.

How to Report

If you are a security researcher and believe you have found a vulnerability in the Rockset service, please email security@rockset.com with the details of suspected or detected vulnerabilities, including steps to reproduce the issue.

How to Test

We ask that during your research, you follow these guidelines:

  • Only interact with your own test accounts

    • Do not access, modify, or destroy user data you do not own
  • Do not execute a denial of service attack, or perform any actions that will degrade our service
  • Do not engage in any social engineering (phishing, vishing, spamming etc) activities
  • Act in good faith to avoid privacy violations
  • Do not exploit a vulnerability for any reason other than testing purposes
  • Note that the following items are generally considered out of scope and we will not respond to:
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on non-sensitive cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Our Promise

Within three (3) business days, we will acknowledge that your report has been received.

To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking.

We will maintain an open dialogue to discuss issues.

At this time, we do not offer rewards or payment for vulnerability reports.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.