Addressing Security Vulnerabilities

Coordinated Disclosure

Welcome to MongoDB's Vulnerability Disclosure Policy! If you believe you have discovered a security vulnerability in MongoDB products or have experienced a security incident related to MongoDB products, please report the issue to aid in its resolution. Below, you will be able to find further information regarding submitting a security bug and our Hall of Fame.

While we greatly appreciate community reports regarding security issues, at this time MongoDB does not provide monetary compensation for vulnerability reports.

Please note we have recently revamped our policy so if you have submitted a report with us before, please use this new format.

Product and Services

Any security bugs or vulnerabilities that can be successfully shown to compromise the CIA (confidentiality, integrity or availability) of information relating to our clients and our secrets will be considered for compensation.

Security bugs or vulnerabilities found on all MongoDB products and tools may be reported via the submission form. Please refer to the Security related information and configuration guidance below before submitting a new vulnerability.

MongoDB

• Security configuration
• Alerts / CVEs

MongoDB Cloud Manager

• Terms of Service
• Alerts
• Administration

Privacy

See our Legal Notices for Terms of Service and Privacy Policy.

Out of Scope

Non-qualifying security vulnerabilities include:

• Ability to create external links
• Brute-force attack
• Clickjacking on static website
• Client-Side Enforcement of Server-Side Security
• Content injection
• Cross-site tracing without endpoints vulnerable to XSS
• CSRF with minimal security implications i.e.
  • CSRF on logout
• CSV injection
• Disclosure of robots.txt file
• Email spoofing
• Error message
• Good practice settings:
  • CSP uses unsafe-inline
  • Missing Certificate Authority Authorization Rule
  • Missing HSTS
  • Missing security headers
  • No X-Frame Options Header on developer.mongodb.com
  • Open redirect using Host header
• GMap API key leaked
• IDN homograph attack
• JavaScript error
• No rate limiting i.e.
  • Missing Rate Limit for Current Password field
• Non-sensitive file disclosure
• Open Jenkins Instance (Permission Misconfiguration)
• Public jira tickets unless there is significant PII or confidential data accidentally posted
• Reverse tabnabbing
• SCRAM-SHA1 authentication mechanism's login credentials disclosure
• Self Denial of Service
• SPF record configuration on 10gen.com or mongodb.com
• Server version disclosure
• Specific HTTP method enabled
• Weak password policy
• Weak SSL/TLS ciphersuites that serve our out-of-date browsers and users

Any reports with these security vulnerabilities will be automatically rejected and not considered.

Privacy

See our Legal Notices for Terms of Service and Privacy Policy.

Disclosure

MongoDB, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. MongoDB, Inc. takes all required security vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter. After validating an issue, MongoDB, Inc. coordinates public disclosure of the issue with the reporter in a mutually agreed timeframe and format.

Contact

For support, use our support contacts.