How to Report Security Vulnerabilities
If you are an existing Milvus user, Zilliz Cloud customer or partner, please submit a service request for any security vulnerability you believe you have discovered in the Zilliz Cloud product at support@zilliz.com.
If you are not a customer or partner, please email security@zilliz.com with your discovery.
Zilliz highly values and appreciates the members of the research community who find security vulnerabilities and responsibly disclose these to Zilliz so that fixes can be issued to all customers. We have our own roots as an open source software company with the philosophy that open source software should be free to use, integrate and create derivative works regardless of the use case or the user. We develop our software in the open with the help of a global community of developers and contributors with whom we share a common understanding and trust in the free exchange of knowledge.
Zilliz’s policy is to credit and reward all researchers provided they follow responsible disclosure practices:
- They do not publish the vulnerability prior to Zilliz releasing a fix for it.
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code.
- Zilliz does not credit employees or contractors of Zilliz and its subsidiaries for vulnerabilities they have found.
Our current rewards include but are not limited to:
- Public acknowledgement in release notes when a fix for reported security bug is issued
- Free Zilliz swag, including hoodies, t-shirts, socks and other gear
- Complimentary tickets to Zilliz events and opportunities to meet with our technical staff
It is not Zilliz’s policy to provide cash awards for discovered vulnerabilities at this time.
In scope assets for Bug Bounty rewards include Zilliz Cloud and any of our open source distributions such as Milvus and GPTCache. You can sign up for a free Zilliz Cloud account or explore our open source software at https://github.com/milvus-io/milvus.