Check out our latest eBook: Tuning Autovacuum for best Postgres performance and sign up to our newsletter.
Logo

Security: Bug Bounty Program

Responsible Disclosure

Security of user data and communication is of utmost importance to pganalyze. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in pganalyze. Principles of responsible disclosure include, but are not limited to:

  • Access or expose only customer data that is your own.
  • Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
  • If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
  • Avoid scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, etc.
  • Keep within the guidelines of our Terms of Service.
  • Keep details of vulnerabilities secret until pganalyze has been notified and had a reasonable amount of time to fix the vulnerability.
  • In order to be eligible for a bounty, your submission must be accepted as valid by pganalyze. We use the following guidelines to determine the validity of requests and the reward compensation offered.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Severity

We are interested in security vulnerabilities that can be exploited to gain access to user data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug". The exploit must rely only on vulnerabilities of pganalyze's systems.

Examples of Qualifying Vulnerabilities

  • Authentication flaws
  • Circumvention of our Platform/Privacy permissions model
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  • Failures to adhere to "best practices" (for example, common HTTP headers, link expiration or password policy)
  • Denial of Service vulnerabilities (DOS)
  • Logout CSRF
  • Possibilities to send malicious links to people you know
  • Security bugs in third-party websites that integrate with pganalyze
  • Insecure cookies on pganalyze.com
  • Mixed-content scripts on pganalyze.com
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
  • Spam or social engineering techniques

Rewards

Only 1 bounty will be awarded per vulnerability.

If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.

We maintain flexibility with our reward system and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.

To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and pganalyze reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.

Rewards are paid through Paypal.

How to report

Please report vulnerabilities by email to security@pganalyze.com.

We recommend encrypting your message using PGP for the pganalyze key:

Fingerprint:

C09B 2CAB 0DB3 78F6 E7FD 93F1 0E6D EC71 A2B5 F2F9

Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFeMisABEAClN9P8Vd32GCMlpUm2axbQBG6QaZJKnp373U6gVlVRtMO4kJzt
shmQwsBk+UeDsRzrmXQniwvu5zNeDxnpv9j6VlHB4Ysw4fs6dmfAQNidxcdmdxnv
xuDcfv4tCQ4Qg+wvS5MOXm4EILOBiaYoHT+qlXynRy2NCCd/39/X2wDfvpzOrRCj
wFhzctsN3rXZTmY9lYi+GXVF4M0hOHRNL72dqcYNVFTepjR3ABBeR1flpcQpi0Lw
TN/FKSZixzkj50D7BJk/0S7aisigmzg/ltw1LxprwxU3xlPuMH/oKOif9N/UNL9f
cvMaPQ8G9mBKgWp0klhDQWwpnBLQaHoIXJuleilxgxuvDGeQCEKGYPGS7KNVulix
sNG+V+Mn4bSLtX1ROsRKQzdGIsF7Vn2rr0fM21UMlI9l0mfb7Gn/oiNDZuits8S6
BHkFtclWdrgpTkOHi2dqCIwLYqeeYiEL/9lKl79MVrdyMhbLWW7/GQOLDn9Wx9vf
wZtaNvvQtxDp//ov3V2PnuBmqI2A1zU4t+QpmB9llxUqM1RnYRCbESX2pTfI1Av3
ykHatOV7ktDgFAOTEFouRc8TS94975SmOi9j2xEJyiWzJTu/Hivb9MeVpHP34ToV
C52w9SZBaquR2+nF8YbBEp/mvT9dT7p0htlKy4kfVZNNBvthj2aAWckN9wARAQAB
tB5wZ2FuYWx5emUgPHRlYW1AcGdhbmFseXplLmNvbT6JAjQEEwEKAB4FAleMisAC
GwMDCwkHAxUKCAIeAQIXgAMWAgECGQEACgkQDm3scaK18vlNJRAAkkCxl9S7mOlQ
/UqwQgyjUr+kWlAjqdRdk8q3aCKZOe3/35SKSmHItMkHHYdyc+RFAwq+ZF11S1G2
GKKzEAFWDZApKX6QIV55BUaQrC0lCu6C7o++uCIGQm1wmiAMQudvCPlB7rkfOo63
No+AQil8ZPqJaVg9X+YVCuMgwQqenQuWmN8HUhoPSSbXSYoYsWIlAdR1vacwAZ72
OQaWkKUWqMn4b6Fod/Rm+d3c4eO/WEQiaubx0znjj+6MQsYzjxZWL64iJwVOGrG6
+knYmvwZayqIUth/BfevGwEmOZWTiumi+v/SBDhsOUXIihPIJprYg8MzgIHw1XGo
XDlTvxCfdErRnhPLTeWuDDjypEoPTv303SESw0iThnGEh5hbdJl1maSuOUBZAnu1
NPtTU8MLaPFDktVpDSXkEHLtG1aACJ0e1V7FHvn5ylvAReO3SLDYs8qj0epuPhEF
M6ZY/++x/U60qcLSkSSip9cBGzXA6YfsHZpQQ+gwKXJ1SbVfU/OZFbXQpwSMLvWW
iPD46SDRW7qwFcqsqk1D3Q0t3//xrmS1yo4D88ZRTiNo4ktkpDBe+1xQzig/qyCd
SabRx1gsCIFuFVlhYU5J14sklFhuA8Utsts485GMuzHe2lEj1QViGW/pnLjqprnc
7+Bsh9fjEuy3SEfuoSj3OadbCsUkOm+5AQ0EV4yKwAEIAN0FzesmDLMOhKKsICT+
AMB4gqwJLV29izNFffJHZEpjdTwJAXiYkjalEcAdtveshThgZ48iOaDhv1NFArTg
fVJ805/VC06Kwp7lefaBtI/MGo5N1hGwr8uI0SymhdWR/kyn5GjWOMrnFKnOOMMJ
dnyBAYq2L19jgYHAdw+4vLIWMWhmIqVOeVwo4XouvnIF8OZ+oF+zqWc1PHngdVMS
ESVdSA5Fhfuq8aCtAU8Dma/uLGgoOpq2u8J0H3CdXNLgWoKDL1X3dIUEWS8fGDvU
72BoQ6WxFLeB6UYtjzl39y/Zy6bcL8I8Ev5N4WFxfLGBdYfWH1/y3BREWD/wwhCQ
cFkAEQEAAYkDRAQYAQoADwUCV4yKwAUJDwmcAAIbDAEpCRAObexxorXy+cBdIAQZ
AQoABgUCV4yKwAAKCRBl+0bB7GWhe+kMB/oCKf9nCHvcQsseZ5woBXe/qXOlKW1g
ogHajqqrIH+IHW5hrJEA3B3uzXn8cZuakqwysTL1xKFhTf5Dimjgs6zZhWWjfOXG
VaCRT2xvQMMC/1IIq5BdIx48sFP64oA7454Nt81U8yEP2E57fKT1vb4+0H2EPHSP
YmhP4l6W5lhQtX+0SHJDImZv5yBzeIcTK486bmDtlRkB1/aHuX09B9IiKXPJFz/N
zUxJh/+LWDhprtLhJcoISiUQFzh29an9UJIwOLC7iRBFwJMLXFqugzPGQozdW46L
BVMi/rWGB7u6wf8nzj7VQoP2lku9JBeR7GJe2J8KmtebKAGjXWk7IFiicRsP/jHJ
nRgDZ5vrxzp70rczzYoIbs3trUCi8Ia3RgQODsArL9gripc66dms3g08ZO3v8u4T
fGkcT+/m8UdxkjP+rOFjxjVhBnoFs2kI1ED4gOPIjnG6dd4u1V6fM2A/a+kiIU3f
L2/mZuyldk99FdtYqFDckbatEdh6Bj0VASzqYXDawj/bcx/5GzSy9HpFNdAkr+rm
bEt+d70uXFhJtTXKuobuxW9L8wjv3dIyLp0w4v0qCwsLkl70MYUIvF5S28cdMksc
5230g3IRTPJOISU1W+fwB7zohTpXYi2flPPrrjuia2IarLtv6l9HEMU4FJea5XCe
A2sFwxtjqaAXrAIhDMjbXocoSRLYR/2rb6lC1HRIDxZzBzqmBMchv8PSfrfYVz5U
+RJR+DQU/AilVWhUysQfnm7rsJIxZ65RDAfSXYKxbR2ujfyG2HdmpqMWpcvUHeoB
LSZiaYGI/YiYCS9CYo51G7uxMRcl3B/67LXMPsmbSoX/sBZKDyHVSZbde8VINHnq
jjL2ZSITEKY+4gkHh+pQwlXpSTMbXk6L2pKU/gqpvbC+enqpkA7vKUEwyXgsE0a5
pm18pwrYjq6REJTBMGiZ2omu8ujzumj8pACvJW0Qx5i6EX377P7kGowhy0/DW0HC
Tq3mgxAmxwQUyVp6PvYnSM17qkBIczdRNyvbGWoHuQENBFeMisABCADDSCLgd4Ad
kylTaptSz5OUXfh9+6NHpWq2laVSuCtCzoiaj94Lwy8xFXdei6FDWpIm/3XReuUf
j2Ax4wPwzGPEwUTZAoNhmRcDiNRzIbAdgatJAhuf+2HV5GqOwMtE8aqCylVUy8kE
/Xiz1T9MbMyCanF3mI0UMolrrpP+nF3s/mz29U8pCue9pQOn4ZqtabNgo4pvpgKb
BD+7tYf4NcoBvmp4dTaNFeuGGn/kSpuDMtdZbQuJc9gUbIsNWjZYKyoA1AHwqWP5
vQIXq71uu7v8O6GCc2PrhBbFS7VJ+Pnxsc6URVeTYyglG+5p3klTfOHBQuETrvIY
6utp9y7/BMRhABEBAAGJA0QEGAEKAA8FAleMisAFCQ8JnAACGyIBKQkQDm3scaK1
8vnAXSAEGQEKAAYFAleMisAACgkQ03hrvD52yehvDgf8CjbF4GudP+W4RfXAuR8G
T7I44N4/Vop3mhE4+oa3Jgwa0Qe/gUEZgh6CirzQtv4tufP04rjvAEuhf0LIyKB1
YpRnQiiu3NUCU3dt2ioK/E2wVs/VNv1wuCXHqTCTAdEEK8S+Gcez+yvWm38VDg/j
Z2kv3pF/EZ3WSnIlFhKQvFEmRbYfQle7Dktppe+FMCGOExquxR6NRVzxU2HBliI9
DaKpoa+KgJLGglRBZJYEOj5L/ZHYH/AulJ4gHMopevuSdSpVc6NM8EzGenPcAKzY
GmCxsS6zLkyKFNUUA2GKm2bcSgfl7GvH1A06T0uwlkr4RqpvI7GuMxBp/XCGAXfW
6Vx8D/4j4mZ9EaFMU5HQy2CzUwYqR4QXaLymcmX7vOa/w6eURWTJ920cVotc9kyn
VeAowmSMzM0lrc3MqInLfsSY5k4tQLzm7Oh8a9yqFKvhenQI8ZIfkEhft3KqY/97
/LDAIvHEDuUc6wnfgQog3GXmtRnYqw6JUTNmsrStxAj2QQgRZYs8lvdUX7LQlVAC
p1k+sJHJBuZvWYxIqot1Q+PbagLRRyHXjSjvA9dgX7yw9PwU7XtDLuUDgSA7PcxP
s7XQc8G0yjPsc2GWH6VPAC15zTpjOR9GncU+dvNpPkqREUcodITQq97wl3gylKuG
SL0nh8bFr5jW20V7CI3Yi0nV1rqzORkvp+/WitHdX7e69tWcv7enhebXeVilFJWF
KAke6VzoV/BYPHUVALR3CFkfYvvYwOnj+/uHtD4TNPz2zD5DlJLRA/+65/Ds16l/
ccyFYgvHiqHtboowlONFqGN0zzvq3fbjdccOFy82lt3zTo0zEZIlFP7F96WkvBFy
N8qo9DXApad4E7xx1/2x7njPS2L3iFYwxDpUuZeEKmsNkZCnXyEuY4mwP6XqH6VK
M/bD/dHyw7rivgFIHHM5b8tNUa9HH5KIV8aFFiRp1BRRUV79Ge5sezOZF7xGbMch
chBuJbnYKPOEQyZrKFqCNBCCHIY0e2QEk3Gj6TYKDB7cEQkrJLkCDQRXlv6QARAA
k5DbKkeNA1sN3n4eGHauDEJdk4BpVkfw+s+To/k28nFKyi9jn3HxMh2Oh/9AFxxD
V+CT3lVc+yS29qnRAY9k+G+YWsfKKMUoY8uE1gNleRVJBrA/hgXrss/erzeyryJA
xCp0VuueQhg+rl7yhLpFg8XF0RfkVliNGytaFRHinwLm4RHWTFhWcl4UlZ/Uwh5K
1erxhSG3Vd9pNxKI86bJBIkcKzIQsBwhykZmNARly4XHNlDWa8+cIkpJxbLbFscK
/G3kOh79qLG+7CIp04YPF3rFUzXDi0MvxS42ZPOOTgnikE2rmtMI/4/lEQ97/MrK
6YWp6r2/o2iU5vzkLkKq1OA4AOGQl+9itumORBPxWfvN7NHKjvWQO4RgOpDV6KL6
8dZmanzPKXBX1z6mfvZ38jUN0WlSAfLlB5fsn/xgbNHiq8P3D+ObRFJi85/OfAKB
yV5nwAt7sLSxrSO9zBNOh9bGzUnyKspYAWLGOSvdvx6EIWQSQq4J43nP2bEsj7Ah
pRbn7wUjCbV090h0uicLqvUJMYZNVUPJRUFjVxuF69d6FjDTWmSKzIW00D59TfDO
aoM92laCTlU/4IGiw5PREnQ8W9wJHfkMu6L5nrIhNV4hTk/C3VrPgmxUbNOX/tvu
At4fa0VzjR4m9K+XhiUWhL6TWo/xGRGNIh7oC5B6fIsAEQEAAYkEPgQYAQgACQUC
V5b+kAIbAgIpCRAObexxorXy+cFdIAQZAQgABgUCV5b+kAAKCRCf8mnYVsNd4o/j
D/0atf9kQcDmJT+aIJJwYc45OB3QoSlskc5y43pEwZVEZhNUT4abIEg4x1TESiLb
iIGmEHmTnQTbhvMCLgeGm6wIy2eUvsYzUJsNRyCqDtJDcloOqN+f/wSGDaSwk9qW
+ZIedkBBBnOtRfD0xnKZk/Pj5t9CcIp+65wJ68ml2JJV0M3ol2zNGhyGOaytQM11
ytnrg+eoWWbAblSgowrDyYP6mIOPgaxdMjR01grH1txujlmhPtVzdOI+6mmUw9PF
nq5vO8UW4FcO8sYLfgdS58uUUu+czlVmHUQv072P8TG0xnbx7Phcrk5hHQUdzQ4u
93EnDJdM01EDZKB+oLWImvrt4Nev6W6EPpeUG/k5qQqRTLC2w5IxpPLLf/qsJqiE
Jb3VHWlLAKQhwC/ci6lmQo2MhNCuy4HtNtLsKRZMIr1erCXMsQETDGB7vnYcglwU
frQ9nlxcNa/S+u0C2JzETl5tehR5gs8kydJ0gdDYSSfLFJxTGk+CL2Oah4iJHfRV
OnUGhwLPAyTdoGpcziOR0aefPh4iMRBLYr4Aa04G3CrPkDszoDV5tKKwvYQRP+ye
R4YPgUAYpr3C9X/4ZE6pGkBrvtgGKYqJk6A3BaKJ8vU0y+76+jPw72Rq17TwlgX0
QsROLF9gNzEBEONYmaflWtf2kwFyNHcoDULnLRE+Ori8RcbsD/45kiD27o2Ja/Km
gKiPAcOZzvrSmAy/q/pDKxGwtNgeSYFS7+XDzh/ReO6U+EfS+2rO4STQu5fBg+uV
IEQxC4LWpFqQAkfvMISNMMjtfBysTU9Y7jqIgqZpw8UGpzfUDdEooJ7DG9La0SdA
iLkK90JDo2FeKeL4lsG/WS66SCfXyo54Er9YTx/S79yXpnVeOUyp0lp3ms0XakXZ
l+zdiHwF6wuj1LyyM8JF0VQFixPpamoYeyxkZnP0axhO7NaXYNi0I+/X/I67D9BA
Vzhc+FTxzl0+tyPRfQDa8aUOyLQV5jxqY+BdNPwWcFgoVhaooGtHO44JTiTT8yWG
TKiWEG7IwCI1ODSxbT1ScgZZUx/xHP9+9CVZhPs3HaZoX41EqrMhusq/Liev+qYd
GbU062LrjtwMVqj67lrr6EWw4vcEOVpW8CMhmlsTarAnziooF7BN+grRVNW3xtfn
I+lGHuvnDKRQs6O3aFicPir7eMtHxW0398DUKpTRxNB5j/kb0XPUJqbK8vNtdizB
KPTjWDFgQT6ytqeq6wKHyHMt774toxAzHAD12zxycfL1NNx/zf+nZWHvMryrV9cP
FRyl++IrC2DxFgHbRDVh6zgytWp3aboGKTkJHUjwM7O5QXFHl1UfkTwZqVoilg2R
q9zHrHwqqXNDmzzLzOZC23YcLZZFCw==
=TvcG
-----END PGP PUBLIC KEY BLOCK-----