Create a Vulnerability Report

If you believe you have discovered a vulnerability in MongoDB or haveexperienced a security incident related to MongoDB, please report theissue to aid in its resolution.

To report an issue, we strongly suggest filing a ticket in theSECURITY project in JIRA. MongoDB, Incresponds to vulnerability notifications within 48 hours.

Create the Report in JIRA

Submit a Ticketin the Security project on our JIRA.The ticket number will become the reference identification for theissue for its lifetime. You can use this identifier for trackingpurposes.

Information to Provide

All vulnerability reports should contain as much informationas possible so MongoDB’s developers can move quickly to resolve the issue.In particular, please include the following:

  • The name of the product.
  • Common Vulnerability information, if applicable, including:
  • CVSS (Common Vulnerability Scoring System) Score.
  • CVE (Common Vulnerability and Exposures) Identifier.
  • Contact information, including an email address and/or phone number,if applicable.

Send the Report via Email

While JIRA is the preferred reporting method, you may also reportvulnerabilities via email to security@mongodb.com.

You may encrypt email using MongoDB’s public key athttps://docs.mongodb.com/10gen-security-gpg-key.asc.

MongoDB, Inc. responds to vulnerability reports sent viaemail with a response email that contains a reference number for a JIRA ticketposted to the SECURITY project.

Evaluation of a Vulnerability Report

MongoDB, Inc. validates all submitted vulnerabilities and uses Jirato track all communications regarding a vulnerability,including requests for clarification or additional information. Ifneeded, MongoDB representatives set up a conference call to exchangeinformation regarding the vulnerability.

Disclosure

MongoDB, Inc. requests that you do not publicly disclose any informationregarding the vulnerability or exploit the issue until it has had theopportunity to analyze the vulnerability, to respond to the notification,and to notify key users, customers, and partners.

The amount of time required to validate a reported vulnerabilitydepends on the complexity and severity of the issue. MongoDB, Inc. takes allrequired vulnerabilities very seriously and will always ensure thatthere is a clear and open channel of communication with the reporter.

After validating an issue, MongoDB, Inc. coordinates public disclosure ofthe issue with the reporter in a mutually agreed timeframe andformat. If required or requested, the reporter of a vulnerability willreceive credit in the published security bulletin.