From d3f275d0c5345529b890bac701cde11e26750e78 Mon Sep 17 00:00:00 2001 From: Josh Earlenbaugh Date: Thu, 7 May 2026 13:53:57 -0400 Subject: [PATCH 1/5] Revert "Revert "docs(RMT-2581): Clarify VDP reward policy and eligibility"" --- .../vulnerability-disclosure-policy.mdx | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index a6aa4f3dc1..32ff29c447 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -57,6 +57,17 @@ Please do not share information about the vulnerability with others until we hav While we don't have a formal bug bounty program, we recognize and appreciate the valuable role that security researchers play in the discovery and mitigation of vulnerabilities. EnterpriseDB may, at its own discretion, provide rewards for the disclosure of previously unknown vulnerabilities, depending on their severity and impact. +A vulnerability is considered "previously unknown" if EDB is not already aware of it through its internal vulnerability management processes, public disclosures (including, but not limited to, assigned CVEs), or prior reports. We continuously monitor public vulnerability disclosures and run internal scanning and remediation processes against our products and infrastructure. Reports describing issues that EDB is already tracking and working to remediate through these processes will be acknowledged with appreciation, but may be marked as duplicates and are not eligible for rewards. + +### Eligibility + +We welcome reports from anyone who believes they have identified a vulnerability impacting EnterpriseDB, including current and former employees, contractors, customers, partners, and members of the wider security and PostgreSQL communities. Safe harbor under this policy applies to all good-faith submissions, regardless of the reporter's relationship to EDB. + +Reward eligibility, however, is more limited: + +* Current EDB employees and contractors are not eligible to receive rewards for vulnerabilities discovered in the course of, or as a result of, their work for EDB. +* Former EDB employees and contractors are eligible to participate, subject to the same discretion EDB applies to all submissions. EDB reserves the right to decline rewards in cases where there is reason to believe a submission was made in bad faith, relies on non-public information obtained during prior employment, or otherwise represents an abuse of the program. + To be eligible for any reward, EDB may require to you provide your full legal name, address and/or email address. By participating in our program and accepting any reward, if applicable, you confirm that doing so does not violate your employer's policies or any applicable laws including those relating to anti-corruption, and you also confirm that you are not a government official. The only form of payment for any determined rewards will be amazon.com gift cards. Any other forms of payment, including (but not limited to) PayPal, other Amazon domains (amazon.ca, amazon.in, etc.) are not available and will not be used. @@ -122,5 +133,13 @@ Please note that this policy may be updated from time to time. Please refer to t 1.2 + + May 7, 2026 + + Clarify reward eligibility for current and former employees, and clarify treatment of vulnerabilities already known to EDB + + 1.3 + + From 8f2856ed2221cf6ef2d46e5a34ce83b0d1fd701e Mon Sep 17 00:00:00 2001 From: Nick Salvemini Date: Tue, 12 May 2026 19:54:23 -0400 Subject: [PATCH 2/5] one more change --- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index 32ff29c447..a65f6cccce 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -68,7 +68,7 @@ Reward eligibility, however, is more limited: * Current EDB employees and contractors are not eligible to receive rewards for vulnerabilities discovered in the course of, or as a result of, their work for EDB. * Former EDB employees and contractors are eligible to participate, subject to the same discretion EDB applies to all submissions. EDB reserves the right to decline rewards in cases where there is reason to believe a submission was made in bad faith, relies on non-public information obtained during prior employment, or otherwise represents an abuse of the program. -To be eligible for any reward, EDB may require to you provide your full legal name, address and/or email address. By participating in our program and accepting any reward, if applicable, you confirm that doing so does not violate your employer's policies or any applicable laws including those relating to anti-corruption, and you also confirm that you are not a government official. +To be eligible for any reward, EDB may require to you provide your full legal name, address and/or email address. By participating in our program and accepting any reward, if applicable, you confirm that doing so does not violate your employer's policies or any applicable laws including those relating to anti-corruption, and you also confirm that you are not a government official. The only form of payment for any determined rewards will be amazon.com gift cards. Any other forms of payment, including (but not limited to) PayPal, other Amazon domains (amazon.ca, amazon.in, etc.) are not available and will not be used. @@ -89,6 +89,8 @@ The following types of attacks are out of scope and are not eligible for a rewar * Cross-Site Request Forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions * Clickjacking on pages with no sensitive actions * Vulnerabilities that only affect users of outdated or unpatched software or services +* Vulnerabilities that have been discovered or assigned a CVE ID recently enough that they are still within our SLAs + - These are acceptable to submit, but we will not pay bounties or rewards on reports which we can reasonably assume we would have soon discovered via our internal processes Thank you for helping to keep [EnterpriseDB](https://www.enterprisedb.com/) and our customers safe! From c0feeb16dc42f949175111d313682ad0816cb3cc Mon Sep 17 00:00:00 2001 From: Nick Salvemini Date: Wed, 13 May 2026 10:40:49 -0400 Subject: [PATCH 3/5] one more tiny change 2 --- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index a65f6cccce..6acf22fb51 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -20,7 +20,7 @@ This policy outlines the procedure for external security researchers, customers, ## Reporting vulnerabilities -If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com). +If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com). Please limit to one report per email. The following should be included in your message: From 213c3b802bed7905a5652c39ad668b24189c2849 Mon Sep 17 00:00:00 2001 From: Nick Salvemini Date: Wed, 13 May 2026 11:09:02 -0400 Subject: [PATCH 4/5] one more tiny change 3 --- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index 6acf22fb51..04bbbf4084 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -89,8 +89,8 @@ The following types of attacks are out of scope and are not eligible for a rewar * Cross-Site Request Forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions * Clickjacking on pages with no sensitive actions * Vulnerabilities that only affect users of outdated or unpatched software or services -* Vulnerabilities that have been discovered or assigned a CVE ID recently enough that they are still within our SLAs - - These are acceptable to submit, but we will not pay bounties or rewards on reports which we can reasonably assume we would have soon discovered via our internal processes +* Vulnerabilities that have been discovered or assigned a CVE ID recently enough that they are still within our severity-based service level agreements + - These are acceptable to submit, but we will not pay bounties or rewards on reports of new vulnerabilities which we can reasonably assume we would have soon discovered via our internal processes Thank you for helping to keep [EnterpriseDB](https://www.enterprisedb.com/) and our customers safe! From 547b937b71e46d7e36a4773370f176aaf549e7c7 Mon Sep 17 00:00:00 2001 From: Nick Salvemini Date: Tue, 19 May 2026 14:01:49 -0400 Subject: [PATCH 5/5] jaime edit --- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index 04bbbf4084..00a59140bc 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -90,7 +90,7 @@ The following types of attacks are out of scope and are not eligible for a rewar * Clickjacking on pages with no sensitive actions * Vulnerabilities that only affect users of outdated or unpatched software or services * Vulnerabilities that have been discovered or assigned a CVE ID recently enough that they are still within our severity-based service level agreements - - These are acceptable to submit, but we will not pay bounties or rewards on reports of new vulnerabilities which we can reasonably assume we would have soon discovered via our internal processes + - While such submissions are welcome, we do not provide bounties or rewards for vulnerabilities that are identifiable through commodity scanners or internal tooling already in use by EDB Thank you for helping to keep [EnterpriseDB](https://www.enterprisedb.com/) and our customers safe!