The CrateDB team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security issue, please use the GitHub security reporting system on the corresponding project where you discovered the flaw. It is on the "Security" tab at Security » Advisories » New draft security advisory.

For CrateDB, just navigate to Report a vulnerability for CrateDB.

The CrateDB team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

If you can't use the GitHub security reporting system, an alternative way of reporting security issues will be to write an email to security@crate.io.