We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community. All reports are thoroughly investigated by developers and security engineers.

To report a potential vulnerability in ClickHouse Operator please send the details about it through our public bug bounty program hosted by Bugcrowd and be rewarded for it as per the program scope and rules of engagement.

• You think you discovered a potential security vulnerability in clickhouse-operator
• You are unsure how a vulnerability affects clickhouse-operator

• You need help to setup and/or configure clickhouse-operator
• You need help applying security related updates
• Your issue is not security related

Each report is acknowledged and analyzed by ClickHouse security engineer within 5 working days. As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

The ClickHouse maintainers and the bug submitter negotiate a public disclosure date, with protecting ClickHouse users as the top priority. This ensures users have sufficient time and notice to update affected systems.

It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days.

Open source users and support customers may subscribe to receive alerts during the embargo period by visiting https://trust.clickhouse.com/?product=clickhouseoss, requesting access and subscribing for alerts. Subscribers agree not to make these notifications public, issue communications, share this information with others, or issue public patches before the disclosure date. Accidental disclosures must be reported immediately to trust@clickhouse.com. Failure to follow this policy or repeated leaks may result in removal from the subscriber list.

Participation criteria:

1. Be a current open source user or support customer with a valid corporate email domain (no @gmail.com, @azure.com, etc.).
2. Sign up to the ClickHouse OSS Trust Center at https://trust.clickhouse.com.
3. Accept the ClickHouse Security Vulnerability Response Policy as outlined above.
4. Subscribe to ClickHouse OSS Trust Center alerts.

Removal criteria:

1. Members may be removed for failure to follow this policy or repeated leaks.
2. Members may be removed for bounced messages (mail delivery failure).
3. Members may unsubscribe at any time.

Notification process: ClickHouse will post notifications within our OSS Trust Center and notify subscribers. Subscribers must log in to the Trust Center to download the notification. The notification will include the timeframe for public disclosure.