Aiven Bug Bounty Program Policy

Aiven look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Please read through the entire policy and take special care regarding the following:

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.
• If you need help, please reach out via this program or HackerOne support. Do not use the site's support functionality, file tickets, or contact our account management team.

About Aiven

Aiven is a next-generation managed cloud database platform as a service. Its focus is in ease of adoption, high fault resilience, customer's peace of mind and advanced features at competitive price points. See https://aiven.io/ for more information.

Services and Products in Scope

Please sign up for a free trial account and launch any service from the below list. We are most interested in vulnerabilities in the services and our APIs.

List of Aiven services eligible for bounty and available for testing:

• Aiven for Apache Cassandra
• Aiven for Apache Flink (beta)
• Aiven for Clickhouse (beta)
• Aiven for Grafana
• Aiven for InfluxDB
• Aiven for Apache Kafka
• Aiven for Apache Kafka Connect
• Aiven for Apache Kafka Mirrormaker
• Aiven for M3
• Aiven for M3 Aggregator
• Aiven for MySQL
• Aiven for OpenSearch
• Aiven for PostgreSQL
• Aiven for Redis

Out-of-Scope Assets

• Only services you create by yourself - for example, PostgreSQL, Kafka and Grafana - are in-scope. Other services in aivencloud.com domain not created by you are explicitly out of scope, as those are our customers' services.
• Support chat functionality provided by Qualified (or any other provider) on our web site is out of scope.
• The contact us form (https://aiven.io/contact) and embedded versions of this contact us form on other pages are out of scope. You can identify and ignore them based on the src of the iframe (https://go.aiven.io/l/890043/2022-02-15/7dc33?referrer=contact or similar).

Program Rules

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.
• Only interact with accounts and services you own or with explicit permission of the account holder. Specifically, take note of rules on aivencloud.com domain.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Out of scope: Support chat functionality provided by Intercom on our web site is out of scope for any kind of testing. Please do not contact us using the support chat.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• If you suspect you are disrupting our service with reasonable activity (for example, sending in gigabits/s of traffic is not allowed; sending in reasonable rate of API requests is ok), please stop, and open a report describing what you did and how you observed the disruption.

Report guidelines

• We are interested in real-world vulnerabilities that have material security impact. Theoretical vulnerabilities without a proof of concept are not eligible for reward. The proof of concept has to be specific to (and work on) the Aiven domain or resource your report is about.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, there will be unnecessary delays in processing the issue. Report quality is taken into account when making decisions about reward and disclosure.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Do not submit any attachments unless requested by our team. Screenshots are accepted, but videos, binaries and so on are not okay.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Reports of software versions with known vulnerabilities (e.g. CVE) found on our domains must have a working proof of concept, or they will be marked spam. Vulnerabilities that are not exploitable as deployed on an in-scope domain or service are out of scope.
• Do not submit scanner output. In general, automated tools and scanners won't provide you much help, because we run them ourselves already. If your report consists only of pasted scanner output, we will mark it spam.

Test Plan

Aiven offers 30 day free trial on sign-up with reasonable amount of credits.

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.
• If you need multiple accounts, you may do so by using [email protected] syntax.
• To request additional credits please reach out to HackerOne Support clearly stating the need.

Please do note, that if you assign other payment method such as your personal credit card to your account, you're liable for all cost of resources and services consumed. The premium plans might incur significant cost for you. Contact us (through Hackerone support) before researching anything where the charges would exceed trial credits.

Resources:

• How to deploy an open source database in 10 minutes
• Devops tooling
• API documentation
• aiven-client: easiest way to use our API
• Service documentation and help

Response Targets

Aiven will make a best effort to meet the following SLAs for hackers participating in our program.

We’ll keep you informed about our progress throughout the process.

Disclosure Policy

Our disclosure policy is open but responsible. Thank you for joining us in supporting ethical disclosure.

• Mutual disclosure policy: you can request disclosure for any closed report in the program. Our security team will contact you and agree if the contents of the report can be made public. We are committed to protect safety of our customers as well as the anonymity of the reporter and methods and tools used.
• Responsible disclosure: we only disclose vulnerabilities that are original, meaningful for the security community and safe to disclose, taking our customers and other users of the open source software components into account. We will redact any confidential, personal or not appropriate information from the report before making it public.
• Please do not discuss any vulnerabilities (even resolved ones) publicly or privately in any details with any party outside of the program without express consent from the Aiven security team.
• Follow HackerOne's disclosure guidelines.

Legal Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

In Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. In general we require a demonstrated security vulnerability - a simple usability issues (for example, entering specific, valid data causes server to respond with 500 Internal Server Error, but no other impact is demonstrated) can be reported, but may not result in a bounty even if we end up fixing the issue.

Out of Scope Vulnerabilities

Thank you for helping keep Aiven Oy and our users safe!