[Easy Money] ClickHouse Bug Bounty Program

[alexey-milovidov]

ClickHouse has a bug-bounty program. Apply at https://bugcrowd.com/clickhouse

Note: it is not necessary to use the Bugcrowd service. This is optional and only needed if you need a chance to get a monetary reward. If you just want to report a vulnerability, you can send it to security@clickhouse.com, and we will ensure you get a proper acknowledgment after disclosure. See SECURITY.md for more details.

We want to encourage researchers to find and report security vulnerabilities, stability issues, and bugs in ClickHouse.
The reports are qualified for a bug bounty program if the following conditions are met:

1. The report should contain a description of the error and step-by-step instructions for reproducing it.
2. The issue should be reproducible in the latest official release and the latest build from the master branch.
3. Unmodified source code and binaries have to be used in reproducing scenarios.
4. The issue should not be already published. If the issue is already found by another researcher, it is not qualified for the bug bounty program.
5. The issue should be reproducible on Linux, x86_64 platform and should not depend on the Linux kernel version, libc version, and configuration of environments like DNS resolvers, SSL certificates, filesystem, and block devices configuration, etc. It should not depend on hardware failures.
6. The issue should be reproducible without the installation of additional software on the machines with clickhouse-server.
7. If the issue requires the usage of features marked as experimental in the documentation or code or enabling experimental flags (settings, configurations), it is not qualified for the bug bounty program.
8. The issue should be reproducible with the release builds from ClickHouse CI infrastructure. Debug and sanitized builds, builds with another compiler, or compiler options - can be used to help find the issues, but are not qualified.
9. The issue should be related to the clickhouse-server component.

If the issue is not qualified for the bug bounty program, it still should be reported to security@clickhouse.com or publicly on GitHub issues.

The bugs are classified by severity according to the following guidelines:

• High severity: RCE, write-what-where, reading and exposing uninitialized memory, invalid memory writes (except nullptr dereference), unexpected data corruption or loss, access control bypass (except information leakage in side-channel attacks).
• Medium severity: invalid read memory access, crash (except OOM), SSRF.
• Low severity: unexpected resource exhaustion, DoS.

The severity is considered lower if the issue:

1. Requires a user with write access to the database.
2. Is related to the code in third-party libraries.
3. Requires manual modification of the data in the filesystem or in ZooKeeper/Keeper.
4. Requires interaction with external data sources.
5. Requires unrealistic configuration changes (corner cases in the server configuration).

The reports are also classified by the number of details. If finding a bug requires a special testing methodology or tools, we would appreciate it if these will be described in the report, so we can improve our infrastructure. If the report covers mitigation guidelines or a fix, it is also appreciated.

[ramazanpolat]

Sorry for unrelated question to @alexey-milovidov , did you use ChatGPT to generate some portion of the above text?

[alexey-milovidov]

No.

[alexey-milovidov]

Chat GPT - since November 30, 2022.
ClickHouse Bug Bounty Program - since July 8, 2022.