SingleStore
External Program
Submit bugs directly to this organization
SingleStore
External Program
Submit bugs directly to this organization
Program guidelines
Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](
)
AI Research Safe HarborAdheres to AI Research Safe Harbor. [https://docs.hackerone.com/en/articles/13376522](
)
Managed by HackerOne
1 day, 3 hours Average time to first response
4 days Average time to triage
1 month, 2 weeks Average time to resolution
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on March 6, 2026. [/singlestore/policy_versions](View changes
)
SingleStore is a distributed, relational database with optimized speed and scalability to support data-intensive and real-time applications. SingleStore has two distinct product types:
SingleStore Helios is our DBaaS offering enabling customers to leverage a real-time data platform designed for all applications, analytics and AI - most items in scope of this program relate to this product offering;
SingleStore Self-Managed for customers which intend to run our licensed database software on their own infrastructure.
More information about SingleStore and our products can be viewed on our https://singlestore.com/ and in our https://docs.singlestore.com/.
At SingleStore we appreciate the efforts and transparency of the security research community in responsibly disclosing vulnerabilities that may have slipped past us during our software development security practices. Should you find a vulnerability in one of our systems, we would prefer to hear about it as soon as possible so that we can perform our due diligence to protect our users, customers and businesses.
Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's [https://www.hackerone.com/disclosure-guidelines](disclosure guidelines).
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
Please provide detailed reports with reproducible steps and any additional information or artifacts (such as screenshots and screen recordings) necessary for us to triage the finding correctly. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Submitted reports containing verbatim output of automated security scans (e.g. Burp Suite, Nessus) will be disregarded.
Make a good faith effort to uphold applicable laws and regulations, avoid privacy violations, destruction of data, and interruption or degradation of our service and user experience.
Only interact with accounts you own or with explicit permission of the account holder.
SingleStore does not provide any type of user credentials nor will we provision accounts for security researchers. Regardless, you are encouraged to sign up your own user accounts during testing for in-scope assets that allow user enrolment (see Testing section below).
The following activities are expressly prohibited:
Carrying out testing on any customer workspace(s), cluster(s), or any other service that's clearly specifically attached to the customer's tenant or organization(s).
Attempting to compromise or actually compromising in any way or form another user's account. Once again, please only interact with accounts you own or have explicit permission to leverage for testing.
Social engineering activities (e.g. phishing, vishing, smishing).
Physical attacks against SingleStore's employees, contractors, our premises, or any of our service providers.
Knowingly sharing any type of malware with SingleStore or its employees.
Carrying out any illegal, unethical or harmful practices on or through our platform, including but not limited to cryptomining, storing malicious content, illicit data or data meant to be used for illicit purposes, and similar type of activities.
As part of your testing efforts, please add HackerOne identifiers in headers, usernames and emails whenever applicable, i.e.:
Adding the header X-HackerOne-Research: [H1 username] to HTTP requests;
Using your HackerOne email alias [email protected];
Using usernames prefixed or suffixed by clear identifiers, e.g. user1-hackerone, user2-h1.
Please also avoid using Intercom's chat features available on our website or within the SingleStore Portal when testing. These channels connect directly to our internal support teams, and test-related activity in these environments may generate unnecessary noise and disrupt normal operations.
You can self-register a SingleStore Helios account through https://portal.singlestore.com/ and either click "Sign Up" and fill-in the required fields or use one of the social logins buttons: Google or Microsoft. Once that's done, you can sign in on Portal into your newly created organization from which you can invite additional users, spin up workspaces and database clusters and experiment with features such as SingleStore Notebooks and SingleStore Kai.
Note that your user account in Portal will not work for the [https://portal.singlestore.com/admin](administrative SingleStore Portal ) (and it is not meant to).
Please refer to our [https://docs.singlestore.com/cloud/security/administration/](Security Administration Docs) for steps on how to manage users for organizations and database clusters.
For testing SingleStore's Management API (api.singlestore.com), you will need to generate an API key - you can do so through https://portal.singlestore.com/. For detailed instructions refer to our [https://docs.singlestore.com/cloud/reference/management-api/](Management API Docs).
Note that our product features a serverless platform for running containerized workloads accessible within Portal. While it is a product feature we're certainly interested in getting feedback from the ethical hacker community on its security maturity, we please ask you to first read through the [https://docs.singlestore.com/cloud/aura-container-service/](SingleStore Aura's documentation) before submitting reports so that you understand the context around this feature and minimize the number of reported false-positives.
SingleStore provides pre-built SingleStoreDB server images for customers deploying self-managed environments. These images are made available on DockerHub: https://hub.docker.com/r/memsql/node
For development and testing purposes, a separate image is available without commercial licensing restrictions: https://github.com/singlestore-labs/singlestoredb-dev-image
By using SingleStore Self-Managed software, you agree to the applicable Free/Trial License Terms. For full details, please refer to: https://www.singlestore.com/legal/
Additional information and alternative installation methods for self-managed deployments are available in the official documentation: https://docs.singlestore.com/db/v9.0/deploy.
Please take note of the following rules for Self-Managed Testing:
Reports must be reproduced against the latest available patch version of the currently supported SingleStoreDB release;
Vulnerabilities affecting third-party components must demonstrate a direct and realistic impact on SingleStoreDB, rather than reporting generic CVEs present in underlying dependencies.
SingleStore will make a best effort to meet the following response targets for hackers participating in our program:
Type of Response | Target in business days | First Response | 2 days | Time to Triage | 10 days | Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
This program may sporadically accept submissions for assets that are not listed as explicitly in scope depending on their severity and complexity.
Clickjacking on pages with no sensitive actions;
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
Attacks requiring MITM or physical access to a user's device;
Previously known vulnerable libraries without a working Proof of Concept;
Comma Separated Values (CSV) injection without demonstrating a vulnerability;
Missing best practices in SSL/TLS configuration;
Any activity that could lead to the disruption of our service (DoS);
Rate limiting or bruteforce issues on non-authentication endpoints;
Missing best practices in Content Security Policy;
Missing HttpOnly or Secure flags on cookies;
Configuration of or missing security headers;
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version];
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors);
Tabnabbing;
Issues that require unlikely user interaction;
Improper logout functionality and improper session timeout;
CORS misconfiguration without an exploitation scenario;
Broken link hijacking;
Lack of SSL Pinning;
Open redirect - unless an additional security impact can be demonstrated.
In addition to the above, the following list of exclusions applies for SingleStore Self-Managed testing:
Vulnerabilities that only affect end-of-life (EOL) or unsupported versions of SingleStoreDB (see https://docs.singlestore.com/db/v9.0/support/singlestore-software-end-of-life-eol-policy/));
Vulnerabilities that affect older patch versions but are fixed in the latest supported release;
Reports of publicly known CVEs that have already been addressed in current releases;
Issues that require unrealistic attack conditions or privileged internal access not available to customers;
Security issues arising from user-controlled configuration, deployment, or operational practices. Reports must demonstrate a vulnerability in SingleStoreDB itself, not an issue caused by insecure or non-recommended configuration choices;
Vulnerabilities specific to the development or testing container image provided at https://github.com/singlestore-labs/singlestoredb-dev-image. This image is provided for development and testing convenience and may include additional utilities, debugging tools, or a base OS that is not hardened for production use.
Thank you for helping keep SingleStore, our product, customers and userbase safe!
[/singlestore/thanks](See all hackers
)
1
/bl4ck-?type=userReputation: 51
2
/sh3rif0x?type=userReputation: 21
3
/kiraadx?type=userReputation: 21
4
/cyanidex1?type=userReputation: 21
5
/arielrachamim?type=userReputation: 14
6
/axolot23?type=userReputation: 9
7
/sl4x?type=userReputation: 7
8
/bad_script3r?type=userReputation: 7
9
/novee?type=userReputation: 7
10
/khaled_hammad?type=userReputation: 7
11
/money-?type=userReputation: 7
12
/itzin?type=userReputation: 7
SingleStore
http://singlestore.comhttps://x.com/singlestoredb SingleStore (formerly MemSQL) is a proprietary, cloud-native database designed for data-intensive applications.Vulnerability Disclosure Program launched in Jul 2025
Response efficiency: 88%
[/singlestore/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Reports received | 90 days | 25 | Last report resolved | a month ago | Reports resolved | 32 | Hackers thanked | 35 | Assets In Scope | 18 |
© HackerOne