Reporting a security vulnerability
If you believe you have discovered a vulnerability or have experienced a security incident related to Couchbase, please report the issue to us.
To report an issue, we strongly suggest filing a support ticket or opening an issue in JIRA.
All vulnerability reports should contain as much information as possible so that our engineers can investigate the issue further. In particular, include the Common Vulnerability information, if applicable, which includes:
CVSS (Common Vulnerability Scoring System) Score.
CVE (Common Vulnerability and Exposures) Identifier.
Contact information, including an email address and phone number, if applicable.
Couchbase, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until Couchbase had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.
The amount of time to validate and resolve a reported vulnerability depends on the complexity and severity of the issue, and whether there are any third party dependencies. Couchbase takes all required vulnerabilities very seriously and will publicise confirmed security vulnerabilities in the announcement forum on the support knowledge base.