We release patches for security vulnerabilities in the following versions:

The AvocadoDB team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by email to:

[email protected]

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report to help us better understand the nature and scope of the issue:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it
• Any special configuration required to reproduce the issue

After you submit a report, here's what will happen:

1. Acknowledgment - We'll confirm receipt of your vulnerability report within 48 hours
2. Assessment - We'll investigate and assess the vulnerability (typically 5-10 business days)
3. Updates - We'll keep you informed of our progress
4. Resolution - We'll develop and test a fix
5. Disclosure - We'll coordinate with you on the disclosure timeline
6. Recognition - With your permission, we'll credit you in the security advisory

• Initial Response: Within 48 hours
• Assessment Complete: Within 10 business days
• Fix Development: Varies based on severity (1-4 weeks typical)
• Public Disclosure: After fix is deployed and users have had time to update

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find any similar problems
3. Prepare fixes for all supported releases
4. Release new security patch versions as soon as possible

When using AvocadoDB, we recommend:

• Run AvocadoDB behind a firewall in production environments
• Use authentication for all client connections
• Enable TLS/SSL for data in transit
• Restrict network access to trusted clients only
• Use VPCs or private networks when deploying in cloud environments

• Use strong passwords for authentication
• Implement least privilege access policies
• Rotate credentials regularly
• Monitor access logs for suspicious activity
• Use API keys instead of sharing passwords

• Encrypt sensitive data at rest when required by your use case
• Implement backups with appropriate retention policies
• Sanitize user inputs before processing
• Validate query parameters to prevent injection attacks
• Use rate limiting to prevent abuse

• Keep AvocadoDB updated to the latest stable version
• Monitor security advisories for new vulnerabilities
• Test updates in non-production environments first
• Use containerization with security scanning
• Implement logging and monitoring for security events

• Follow secure coding practices when building with AvocadoDB
• Validate all inputs from untrusted sources
• Use parameterized queries to prevent injection attacks
• Keep dependencies updated and audit for known vulnerabilities
• Perform security testing before deploying to production

• Resource exhaustion: Large vector queries can consume significant memory and CPU

  • Implement query timeouts and resource limits
  • Use pagination for large result sets

• Data inference: Vector similarity searches may reveal information about stored data

  • Implement appropriate access controls
  • Consider privacy implications of similarity searches

• Denial of Service: Malicious queries can impact performance

  • Configure rate limiting
  • Set query complexity limits
  • Monitor resource usage

• Data exposure: Improperly configured instances may expose data

  • Review default configurations
  • Audit access controls regularly
  • Use network segmentation

• Coordinated Disclosure: We follow a coordinated disclosure process
• Public Advisory: We will publish a security advisory after fixes are available
• CVE Assignment: We will request CVEs for significant vulnerabilities
• Credit: We will credit researchers who responsibly disclose vulnerabilities (with permission)

We recognize and thank the following security researchers for responsibly disclosing vulnerabilities:

(No vulnerabilities have been reported yet)

We do not currently offer a paid bug bounty program. However, we deeply appreciate responsible disclosure and will recognize contributors in our security hall of fame and release notes.

For security-related questions that are not vulnerability reports, you can:

• Open a GitHub Discussion in the Security category
• Contact the team at [email protected]

For general questions and support, please use GitHub Discussions or Issues.

Thank you for helping keep AvocadoDB and our users safe!