We encourage security researchers and users to share the details of any suspected vulnerabilities with the Liquibase Information Security Team by submitting the relevant information. Liquibase will review the submission to determine if the finding is valid and has not been previously reported. We require submitters to include detailed information with steps for us to reproduce the vulnerability.

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Liquibase commits to:

• Working with you to understand and validate the issue
• Addressing the risk (if deemed appropriate by Liquibase)

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Liquibase will deem the submission as noncompliant with this Responsible Disclosure Policy.

In addition, to remain compliant you are prohibited from:

• Accessing, downloading, or modifying data residing in an account that does not belong to you
• Executing or attempting to execute any “Denial of Service” attack
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
• Testing in a manner that would degrade the operation of any Liquibase systems
• Testing third-party applications, websites, or services that integrate with or link to Liquibase systems

While we are happy to receive vulnerability information in any form, we appreciate discrete submission via email to Liquibase's Information Security Team at infosec@liquibase.com with the following details about the security issue.

• Summary title (Help us get an idea of what this vulnerability is about)
• Vulnerability details
  • Description (Describe the vulnerability and its impact)
  • Provide a proof of concept or replication steps
• Submitter’s email

While we greatly appreciate community reports regarding security issues, at this time Liquibase does not provide compensation for vulnerability reports.