Skip to content

Revert "Revert "docs(RMT-2581): Clarify VDP reward policy and eligibility"" #7167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jpe442 wants to merge 5 commits into
base: develop
Choose a base branch
from
+23 −2
Draft

Revert "Revert "docs(RMT-2581): Clarify VDP reward policy and eligibility"" #7167

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d3f275d
Revert "Revert "docs(RMT-2581): Clarify VDP reward policy and eligibi…
jpe442 May 7, 2026
8f2856e
one more change
nicksalvemini-edb May 12, 2026
c0feeb1
one more tiny change 2
nicksalvemini-edb May 13, 2026
213c3b8
one more tiny change 3
nicksalvemini-edb May 13, 2026
547b937
jaime edit
nicksalvemini-edb May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions advocacy_docs/security/vulnerability-disclosure-policy.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This policy outlines the procedure for external security researchers, customers,

## Reporting vulnerabilities

If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com).
If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com). Please limit to one report per email.

The following should be included in your message:

Expand Down Expand Up @@ -57,7 +57,18 @@ Please do not share information about the vulnerability with others until we hav

While we don't have a formal bug bounty program, we recognize and appreciate the valuable role that security researchers play in the discovery and mitigation of vulnerabilities. EnterpriseDB may, at its own discretion, provide rewards for the disclosure of previously unknown vulnerabilities, depending on their severity and impact.

To be eligible for any reward, EDB may require to you provide your full legal name, address and/or email address. By participating in our program and accepting any reward, if applicable, you confirm that doing so does not violate your employer's policies or any applicable laws including those relating to anti-corruption, and you also confirm that you are not a government official.
A vulnerability is considered "previously unknown" if EDB is not already aware of it through its internal vulnerability management processes, public disclosures (including, but not limited to, assigned CVEs), or prior reports. We continuously monitor public vulnerability disclosures and run internal scanning and remediation processes against our products and infrastructure. Reports describing issues that EDB is already tracking and working to remediate through these processes will be acknowledged with appreciation, but may be marked as duplicates and are not eligible for rewards.

### Eligibility

We welcome reports from anyone who believes they have identified a vulnerability impacting EnterpriseDB, including current and former employees, contractors, customers, partners, and members of the wider security and PostgreSQL communities. Safe harbor under this policy applies to all good-faith submissions, regardless of the reporter's relationship to EDB.

Reward eligibility, however, is more limited:

* Current EDB employees and contractors are not eligible to receive rewards for vulnerabilities discovered in the course of, or as a result of, their work for EDB.
* Former EDB employees and contractors are eligible to participate, subject to the same discretion EDB applies to all submissions. EDB reserves the right to decline rewards in cases where there is reason to believe a submission was made in bad faith, relies on non-public information obtained during prior employment, or otherwise represents an abuse of the program.

To be eligible for any reward, EDB may require to you provide your full legal name, address and/or email address. By participating in our program and accepting any reward, if applicable, you confirm that doing so does not violate your employer's policies or any applicable laws including those relating to anti-corruption, and you also confirm that you are not a government official.

The only form of payment for any determined rewards will be amazon.com gift cards. Any other forms of payment, including (but not limited to) PayPal, other Amazon domains (amazon.ca, amazon.in, etc.) are not available and will not be used.

Expand All @@ -78,6 +89,8 @@ The following types of attacks are out of scope and are not eligible for a rewar
* Cross-Site Request Forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions
* Clickjacking on pages with no sensitive actions
* Vulnerabilities that only affect users of outdated or unpatched software or services
* Vulnerabilities that have been discovered or assigned a CVE ID recently enough that they are still within our severity-based service level agreements
- While such submissions are welcome, we do not provide bounties or rewards for vulnerabilities that are identifiable through commodity scanners or internal tooling already in use by EDB


Thank you for helping to keep [EnterpriseDB](https://www.enterprisedb.com/) and our customers safe!
Expand Down Expand Up @@ -122,5 +135,13 @@ Please note that this policy may be updated from time to time. Please refer to t
<td>1.2
</td>
</tr>
<tr>
<td>May 7, 2026
</td>
<td>Clarify reward eligibility for current and former employees, and clarify treatment of vulnerabilities already known to EDB
</td>
<td>1.3
</td>
</tr>
</table>

Loading