Responsible Disclosure Policy

Keeping customer data secure is of utmost concern at Rockset, and we welcome the help of security researchers in finding and disclosing to us any vulnerabilities in our service.

The responsible disclosure policy is intended for security researchers with the goal of promoting discovery and responsible reporting of security vulnerabilities with the Rockset service. It is not intended for Rockset customers who believe their account has been compromised. If you believe your account has been compromised, please contact security@rockset.com.

Reporting

If you are a security researcher and believe you have found a vulnerability in the Rockset service, please email whitehat@rockset.com with the details of suspected or detected vulnerabilities, including steps to reproduce the issue. Please give us a reasonable time to respond before making any information regarding the disclosure public. We will investigate all reports and fix any issues to the best of our ability.

We do not have an official bug bounty program. Payouts for reports will be on a case by case basis. We will not negotiate payouts or respond to threats.

Testing

We ask that during your research, you follow these guidelines:

• Do not access, modify, or destroy user data without written permission from the user
• Do not execute a denial of service attack, or perform any actions that will degrade our service
• Only interact with your own accounts or test accounts
• Act in good faith to avoid privacy violations
• Do not exploit a vulnerability for any reason other than testing purposes

Our Promise

We will promptly acknowledge the receipt of your report, work with you to verify the validity of your report, and notify you when the reported vulnerability is fixed. If you have complied with this policy in good faith, we will not initiate legal action against you in response to your report.