Security
Vulnerability Disclosure Policy
Version 1.0
Last Updated: May 12, 2025
Introduction
Aerospike is committed to ensuring the security of our systems and protecting our customers' data from unauthorized access and unwarranted disclosure. We value the important role that security researchers, customers, and partners play in identifying and reporting potential vulnerabilities. This policy provides clear guidelines for conducting vulnerability discovery activities and outlines how to submit reports so we can validate and remediate issues quickly. If you make a good faith effort to comply with this policy, we will consider your research authorized under the terms described in the Safe Harbor section below.
How to report a vulnerability
You may report a potential security vulnerability through the following channel:
Email: Send your report to prodsec@aerospike.com
In your report, please include the following:
Description: A description of the vulnerability, including where it was discovered and its potential impact.
Steps to reproduce: Detailed instructions on how to reproduce the vulnerability, including proof-of-concept scripts, screenshots, or screen recordings.
Contact information (optional): You may submit your report anonymously. If you would like to be contacted, please provide your name and email address.
We may request additional information regarding the issue.
How we handle reported vulnerabilities
When we receive a report, our product security team reviews it and triages it based on severity and potential impact, following Common Vulnerability Scoring System (CVSS) standards. Confirmed vulnerabilities are prioritized for remediation in coordination with our engineering teams. For vulnerabilities involving third-party dependencies, we work with upstream maintainers and factor in the availability of fixes into our remediation timeline. Throughout this process, we will keep you informed consistent with our commitments above.
Aerospike’s commitment
If you make a good faith effort to comply with this policy, Aerospike will:
Acknowledge receipt of your report within three business days.
Investigate every report to validate the vulnerability and prioritize remediation based on severity and impact.
Keep you informed of Aerospike’s progress as Aerospike remediates the vulnerability.
Keep all information you provide confidential, and not share your name or contact information without your explicit permission.
Scope
This policy applies to all of Aerospike's publicly accessible systems and services. This includes, but is not limited to:
Aerospike Database Server (all supported versions)
Aerospike Cloud (aerospike.com cloud-hosted services)
Aerospike Tools (aql, asadm, asbackup, asrestore, asbenchmark, etc.)
Aerospike Connect products (Spark, Kafka, JMS, Pulsar, etc.)
Aerospike client libraries (Java, C, C#, Python, Go, Node.js, etc.)
aerospike.com and subdomains
Aerospike documentation site (docs.aerospike.com)
Any additional in-scope properties to be defined by Aerospike
Any services not expressly listed above are excluded from the scope of this policy.
Guidelines
Aerospike asks that you:
Avoid privacy violations, degradation of the user experience, disruption to Aerospike production systems, and data destruction during your research.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or pivot to other systems.
Refrain from publicly disclosing the vulnerability for 90 calendar days from Aerospike’s acknowledgment of your report. If you believe earlier disclosure is warranted, coordinate with Aerospike in advance.
Submit clear, reproducible reports with sufficient detail to validate the issue.
Include documented and video steps for replicating a possible security issue, when and where possible.
Cease testing and notify Aerospike immediately upon discovery of a vulnerability or any exposure of non-public data.
Purge any stored Aerospike non-public data upon reporting a vulnerability.
Out-of-scope vulnerabilities
The following types of vulnerabilities are considered out of scope:
Denial of service (DoS or DDoS) attacks
Spamming or social engineering (e.g., phishing, vishing)
Physical attacks against Aerospike property or data centers
Customer applications or deployments built on Aerospike
Third-party dependencies where no Aerospike code is involved (report these to the upstream maintainer directly)
Theoretical vulnerabilities with no demonstrated impact
Reports from automated tools or scans without a working proof of concept
Attacks requiring man-in-the-middle or physical access to a user’s device
Any services, systems, or domains not explicitly listed above
Safe harbor
Specifically, Aerospike:
Will not pursue civil or criminal action, or support prosecution by third parties, against researchers acting in good faith under this policy.
Will consider authorized research under this policy to be exempt from restrictions in the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and similar laws, to the extent permitted by applicable law.
Waives any contractual restrictions (e.g., Terms of Service) that would otherwise prohibit security research conducted under this policy.
Will confirm your authorization to third parties if legal action is initiated against you for research conducted under this policy.
If at any time you are uncertain whether your research complies with this policy, please contact Aerospike at prodsec@aerospike.com before proceeding.
Questions
If you have any questions about this policy or have suggestions for improving it, please contact Aerospike at prodsec@aerospike.com. Aerospike appreciates your efforts to help us keep our systems and our users safe.
Acknowledgments
Aerospike appreciates the professionalism and support of all security researchers who help improve the security of its systems and customer data. Researchers who have agreed to be publicly acknowledged for their efforts will be listed below.
Security
Vulnerability Disclosure Policy
Version 1.0
Last Updated: May 12, 2025
Introduction
Aerospike is committed to ensuring the security of our systems and protecting our customers' data from unauthorized access and unwarranted disclosure. We value the important role that security researchers, customers, and partners play in identifying and reporting potential vulnerabilities. This policy provides clear guidelines for conducting vulnerability discovery activities and outlines how to submit reports so we can validate and remediate issues quickly. If you make a good faith effort to comply with this policy, we will consider your research authorized under the terms described in the Safe Harbor section below.
How to report a vulnerability
You may report a potential security vulnerability through the following channel:
Email: Send your report to prodsec@aerospike.com
In your report, please include the following:
Description: A description of the vulnerability, including where it was discovered and its potential impact.
Steps to reproduce: Detailed instructions on how to reproduce the vulnerability, including proof-of-concept scripts, screenshots, or screen recordings.
Contact information (optional): You may submit your report anonymously. If you would like to be contacted, please provide your name and email address.
We may request additional information regarding the issue.
How we handle reported vulnerabilities
When we receive a report, our product security team reviews it and triages it based on severity and potential impact, following Common Vulnerability Scoring System (CVSS) standards. Confirmed vulnerabilities are prioritized for remediation in coordination with our engineering teams. For vulnerabilities involving third-party dependencies, we work with upstream maintainers and factor in the availability of fixes into our remediation timeline. Throughout this process, we will keep you informed consistent with our commitments above.
Aerospike’s commitment
If you make a good faith effort to comply with this policy, Aerospike will:
Acknowledge receipt of your report within three business days.
Investigate every report to validate the vulnerability and prioritize remediation based on severity and impact.
Keep you informed of Aerospike’s progress as Aerospike remediates the vulnerability.
Keep all information you provide confidential, and not share your name or contact information without your explicit permission.
Scope
This policy applies to all of Aerospike's publicly accessible systems and services. This includes, but is not limited to:
Aerospike Database Server (all supported versions)
Aerospike Cloud (aerospike.com cloud-hosted services)
Aerospike Tools (aql, asadm, asbackup, asrestore, asbenchmark, etc.)
Aerospike Connect products (Spark, Kafka, JMS, Pulsar, etc.)
Aerospike client libraries (Java, C, C#, Python, Go, Node.js, etc.)
aerospike.com and subdomains
Aerospike documentation site (docs.aerospike.com)
Any additional in-scope properties to be defined by Aerospike
Any services not expressly listed above are excluded from the scope of this policy.
Guidelines
Aerospike asks that you:
Avoid privacy violations, degradation of the user experience, disruption to Aerospike production systems, and data destruction during your research.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or pivot to other systems.
Refrain from publicly disclosing the vulnerability for 90 calendar days from Aerospike’s acknowledgment of your report. If you believe earlier disclosure is warranted, coordinate with Aerospike in advance.
Submit clear, reproducible reports with sufficient detail to validate the issue.
Include documented and video steps for replicating a possible security issue, when and where possible.
Cease testing and notify Aerospike immediately upon discovery of a vulnerability or any exposure of non-public data.
Purge any stored Aerospike non-public data upon reporting a vulnerability.
Out-of-scope vulnerabilities
The following types of vulnerabilities are considered out of scope:
Denial of service (DoS or DDoS) attacks
Spamming or social engineering (e.g., phishing, vishing)
Physical attacks against Aerospike property or data centers
Customer applications or deployments built on Aerospike
Third-party dependencies where no Aerospike code is involved (report these to the upstream maintainer directly)
Theoretical vulnerabilities with no demonstrated impact
Reports from automated tools or scans without a working proof of concept
Attacks requiring man-in-the-middle or physical access to a user’s device
Any services, systems, or domains not explicitly listed above
Safe harbor
Specifically, Aerospike:
Will not pursue civil or criminal action, or support prosecution by third parties, against researchers acting in good faith under this policy.
Will consider authorized research under this policy to be exempt from restrictions in the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and similar laws, to the extent permitted by applicable law.
Waives any contractual restrictions (e.g., Terms of Service) that would otherwise prohibit security research conducted under this policy.
Will confirm your authorization to third parties if legal action is initiated against you for research conducted under this policy.
If at any time you are uncertain whether your research complies with this policy, please contact Aerospike at prodsec@aerospike.com before proceeding.
Questions
If you have any questions about this policy or have suggestions for improving it, please contact Aerospike at prodsec@aerospike.com. Aerospike appreciates your efforts to help us keep our systems and our users safe.
Acknowledgments
Aerospike appreciates the professionalism and support of all security researchers who help improve the security of its systems and customer data. Researchers who have agreed to be publicly acknowledged for their efforts will be listed below.