Reporting a Security Vulnerability

Reporting a Security Vulnerability

If you believe you have discovered a vulnerability or have experienced a security incident related to Couchbase, please report the issue to us.

To report an issue, we strongly suggest filing a support ticket or opening an issue in JIRA.

Reporting an Issue in JIRA

Submit a request or open a JIRA issue. The ticket number will become the reference identification for the issue for its lifetime. You can use this identifier for tracking purposes.

Providing Information

All vulnerability reports should contain as much information as possible so that our engineers can investigate the issue further. In particular, include the Common Vulnerability information, if applicable, which includes:

  • CVSS (Common Vulnerability Scoring System) Score.
  • CVE (Common Vulnerability and Exposures) Identifier.
  • Contact information, including an email address and phone number, if applicable.

Disclosure

Couchbase, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until Couchbase had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.

The amount of time to validate and resolve a reported vulnerability depends on the complexity and severity of the issue, and whether there are any third party dependencies. Couchbase takes all required vulnerabilities very seriously and will publicize confirmed security vulnerabilities in the announcement forum on the support knowledge base.