Responsible Disclosure


At SingleStore we appreciate the efforts and transparency of the security research community in responsibly disclosing vulnerabilities that may have slipped past us during our software development security practices. Should you find a vulnerability in one of our systems, we would prefer to hear about it as soon as possible so that we can perform our due diligence to protect our users, customers and businesses.

You can find more information on our Responsible Disclosure Program at https://hackerone.com/singlestore.


program-rulesProgram Rules

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines.
  • When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
  • Please provide detailed reports with reproducible steps and any additional information or artifacts (such as screenshots and screen recordings) necessary for us to triage the finding correctly. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Submitted reports containing verbatim output of automated security scans (e.g. Burp Suite, Nessus) will be disregarded.
  • Make a good faith effort to uphold applicable laws and regulations, avoid privacy violations, destruction of data, and interruption or degradation of our service and user experience.
  • Only interact with accounts you own or with explicit permission of the account holder.
  • SingleStore does not provide any type of user credentials nor will we provision accounts for security researchers. Regardless, you are encouraged to sign up your own user accounts during testing for in-scope assets that allow user enrolment (see Testing section below).

The following activities are expressly prohibited:

  • Carrying out testing on any customer workspace(s), cluster(s), or any other service that's clearly specifically attached to the customer's tenant or organization(s).
  • Attempting to compromise or actually compromising in any way or form another user's account. Once again, please only interact with accounts you own or have explicit permission to leverage for testing.
  • Social engineering activities (e.g. phishing, vishing, smishing).
  • Physical attacks against SingleStore's employees, contractors, our premises, or any of our service providers.
  • Knowingly sharing any type of malware with SingleStore or its employees.
  • Carrying out any illegal, unethical or harmful practices on or through our platform, including but not limited to cryptomining, storing malicious content, illicit data or data meant to be used for illicit purposes, and similar type of activities.

response-targetsResponse Targets

SingleStore will make a best effort to meet the following response targets for hackers participating in our program:

Type of ResponseTarget in business days
First Response2 days
Time to Triage5 days
Time to Resolutiondepends on severity and complexity


out-of-scope-vulnerabilitiesOut of scope vulnerabilities

  • Clickjacking on pages with no sensitive actions;
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
  • Attacks requiring MITM or physical access to a user's device;
  • Previously known vulnerable libraries without a working Proof of Concept;
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability;
  • Missing best practices in SSL/TLS configuration;
  • Any activity that could lead to the disruption of our service (DoS);
  • Rate limiting or bruteforce issues on non-authentication endpoints;
  • Missing best practices in Content Security Policy;
  • Missing HttpOnly or Secure flags on cookies;
  • Configuration of or missing security headers;
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version];
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors);
  • Tabnabbing;
  • Issues that require unlikely user interaction;
  • Improper logout functionality and improper session timeout;
  • CORS misconfiguration without an exploitation scenario;
  • Broken link hijacking;
  • Lack of SSL Pinning;
  • Open redirect - unless an additional security impact can be demonstrated.