title | subtitle | date |
---|---|---|
Vulnerability disclosure |
How and what vulnerabilities to report to PlanetScale. |
2024-02-09 |
PlanetScale is actively seeking vulnerability reports for the following components that make up the product and its Production Environment:
- Dashboard and API: The website hosted at app.planetscale.com, along with the API hosted at api.planetscale.com
- Database Operations: The actions taken within the product to create, branch, backup, and restore databases
- Database Connectivity and Behavior: The process of provisioning a password and issuing SQL statements against a PlanetScale database
- Command-line Interface: The open source command-line interface hosted at planetscale/cli
PlanetScale is not actively seeking the following types of reports:
- Testing software output: Output generated from automated testing software like Burp Suite. These include, but aren't limited to:
- CSRF on forms that are available to anonymous users or are related to logging out
- Disclosure of known public files or directories (i.e.
robots.txt
) - DNSSEC or other DNS configuration suggestions
- TLS and security header configuration suggestions
- Sender Policy Framework (SPF) configuration suggestions
- Flags on cookies that are not sensitive
- Software version reports: Reports notifying PlanetScale that newer versions of software have been released
If you believe you have discovered a security vulnerability in a PlanetScale product or its Production Environment, please let us know immediately. You can submit your vulnerability findings to security@planetscale.com.
If applicable, please include the following pieces of information in your report:
- Steps to reproduce the vulnerability
- The word "mochi" to acknowledge that you have read these guidelines
- Any relevant software (including versions) used to identify the vulnerability