ANNOUNCEMENTVoyage AI joins MongoDB to power more accurate and trustworthy AI applications on Atlas. Learn more >
NEWMongoDB 8.0: Experience unmatched speed and performance. Check it out >
AnnouncementMongoDB 8.0: Experience unmatched speed and performance. Check it out >

Addressing Security Vulnerabilities

MongoDB takes the security of its products and services seriously. Individuals who identify a potential security vulnerability are encouraged to report it promptly through MongoDB’s bug bounty program.

Coordinated Disclosure

MongoDB is committed to the security of its products and the protection of customer data. Security researchers, customers, and partners are encouraged to report potential vulnerabilities or incidents related to MongoDB products to help ensure timely resolution.

MongoDB operates a bug bounty program through HackerOne, where eligible security researchers may receive monetary rewards for valid vulnerability reports. MongoDB’s security team reviews and validates all submissions in accordance with the company’s Vulnerability Disclosure Policy.

Further details on submitting a vulnerability report, including the current scope and rewards, can be found on the HackerOne program page.

For those who prefer not to participate in the bug bounty program, security vulnerabilities can also be submitted directly via the security bug form.

Program Scope

Security bugs or vulnerabilities found on any MongoDB products or tools may be reported via the security bug form. Please refer to the security-related information and configuration guidance below before submitting a new vulnerability.

The scope of MongoDB’s bug bounty program is MongoDB Owned Domains, MongoDB Free Tier Atlas, and a few MongoDB Shipped Products with exceptions (please refer to the Out of Scope section). For a detailed list of our scopes, please refer to the HackerOne program page. When submitting a report, if the asset involved is not explicitly called out in scope, it will not be eligible for bounty.

If the vulnerability falls outside of this immediate scope, you are encouraged to submit the vulnerability via MongoDB’s security bug form.

Out of Scope and Non Qualifying Reports

Please note that all evergreen endpoints (including staging) are out of scope of this program and not eligible for bounty.

  • Public Jira Projects: We have multiple Jira Projects that have been intentionally made public. Please only submit Jira-related reports that involve sensitive information disclosure.
  • Subdomain takeovers for out of scope domains
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Fewer than two stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Tabnabbing
  • Open redirect; unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Artifactory issues
  • Known false positives:
    • Content injection
    • Error Message
    • SCRAM-SHA1 authentication mechanism's login credentials disclosure
    • SPF record configuration on 10gen.com or mongodb.com
    • Server version disclosure
    • Information Disclosure on /secure/QueryComponent!Default.jspa endpoint
  • Accepted Risks:
    • CSRF with minimal security implications i.e. CSRF on logout
    • CSRF Token Leak
    • JavaScript error
  • Good practice settings:
    • CSP uses unsafe-inline, Missing Certificate Authority, Authorization Rule, Missing HSTS, Missing security headers, No X-Frame Options Header on developer.mongodb.com, Open redirect using Host header.
    • No X-Frame Options Header on developer.mongodb.com

Privacy

See MongoDB’s Legal Hub for our Privacy Policy and more information on our privacy program.

Disclosure

MongoDB, Inc. requests that security researchers do not publicly disclose any information regarding the vulnerabilities they discover or exploit the issue until the company has had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. MongoDB, Inc. takes all required security vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter. After validating an issue, MongoDB, Inc. coordinates public disclosure of the issue with the reporter in a mutually agreed timeframe and format.

Guidelines

Contact Us

For support, please use the MongoDB Support Hub.

Recognition

MongoDB thanks the following individuals for identifying and assisting in fixing Security related flaws or vulnerabilities in MongoDB products/services via our disclosure process.

ResearcherSocial Media/ContactValid ReportsRecognition Points
Suhas Sunil Gaikwad-110
Mehedi Hasan (SecMiners BD)Facebook18
Pritam MukherjeeLinkedIn18
Bhavya JainTwitter18
Taha Smily-18
David CalligarisTwitter18
Rich Mirch-18
Mitch Wasson of Cisco's Advanced Malware Protection GroupEmail18
Philippe Jacquot-18
Simon Budail-Essard-18
Henri Salo from Nixu Corporation-30
Pankaj Kumar ThakurLinkedIn2*
@SecurityMateTwitter2*
Mohsin KhanLinkedIn2*
Mohd.Danish AbidLinkedIn1*
Dristant UpretyLinkedIn1*
Emad Al-Mousa-1*
Mohammad Hosein Askari-1*
Kyle MartinLinkedIn1*
Abdul Rehman Tariq-1*
Tony Yesudas-1*
Soundar.MLinkedIn1*
Feng Xiao from Georgia Tech-1*
Will AshworthEmail1*
Ketan Madhukar Mukane-1*
Sicheng Liu of Beijing DBSEC Technology Co., Ltd-1*
Arbazz Hussain-1*
Andre Protas of Apple-1*
Vineet KumarEmail1*
Alyssa Herrera-1*
Jamie (James C.) Davis of Virginia Tech-1*
ALI WAMIM KHAN-1*
Nenad Borovčanin-1*
Cameron Dawe-1*
Kamil Sevi-1*
Sumit Sahoo-1*
Richo Healey-1*
Andrea Palazzo (Truel IT)-1*
Kai Lu and Xiaopeng Zhang of Fortinet's FortiGuard Labs-1*
Christian Hansen-1*
Jason King-1*
Daniel Isaac Khan Ramiro-1*
joev@metasploit.com-1*
Florian Gaultier-1*
Gerd Jungbluth-1*
Will Urbanski-1*
Yury Maryshev-1*
Mikhail Firstov-1*
HD Moore-1*
Md. Nur A Alam Dipu-1*
Omar Amin-1*
Hugo Ferrando Seage-1*
Raghotham Mruthike from DeskNineLinkedIn2*

Researcher

Social Media/Contact
Suhas Sunil Gaikwad-
Mehedi Hasan (SecMiners BD)Facebook
Pritam MukherjeeLinkedIn
Bhavya JainTwitter
Taha Smily-
David CalligarisTwitter
Rich Mirch-
Mitch Wasson of Cisco's Advanced Malware Protection GroupEmail
Philippe Jacquot-
Simon Budail-Essard-
Henri Salo from Nixu Corporation-
Pankaj Kumar ThakurLinkedIn
@SecurityMateTwitter
Mohsin KhanLinkedIn
Mohd.Danish AbidLinkedIn
Dristant UpretyLinkedIn
Emad Al-Mousa-
Mohammad Hosein Askari-
Kyle MartinLinkedIn
Abdul Rehman Tariq-
Tony Yesudas-
Soundar.MLinkedIn
Feng Xiao from Georgia Tech-
Will AshworthEmail
Ketan Madhukar Mukane-
Sicheng Liu of Beijing DBSEC Technology Co., Ltd-
Arbazz Hussain-
Andre Protas of Apple-
Vineet KumarEmail
Alyssa Herrera-
Jamie (James C.) Davis of Virginia Tech-
ALI WAMIM KHAN-
Nenad Borovčanin-
Cameron Dawe-
Kamil Sevi-
Sumit Sahoo-
Richo Healey-
Andrea Palazzo (Truel IT)-
Kai Lu and Xiaopeng Zhang of Fortinet's FortiGuard Labs-
Christian Hansen-
Jason King-
Daniel Isaac Khan Ramiro-
joev@metasploit.com-
Florian Gaultier-
Gerd Jungbluth-
Will Urbanski-
Yury Maryshev-
Mikhail Firstov-
HD Moore-
Md. Nur A Alam Dipu-
Omar Amin-
Hugo Ferrando Seage-
Raghotham Mruthike from DeskNineLinkedIn
Valid Reports
Suhas Sunil Gaikwad1
Mehedi Hasan (SecMiners BD)1
Pritam Mukherjee1
Bhavya Jain1
Taha Smily1
David Calligaris1
Rich Mirch1
Mitch Wasson of Cisco's Advanced Malware Protection Group1
Philippe Jacquot1
Simon Budail-Essard1
Henri Salo from Nixu Corporation3
Pankaj Kumar Thakur2
@SecurityMate2
Mohsin Khan2
Mohd.Danish Abid1
Dristant Uprety1
Emad Al-Mousa1
Mohammad Hosein Askari1
Kyle Martin1
Abdul Rehman Tariq1
Tony Yesudas1
Soundar.M1
Feng Xiao from Georgia Tech1
Will Ashworth1
Ketan Madhukar Mukane1
Sicheng Liu of Beijing DBSEC Technology Co., Ltd1
Arbazz Hussain1
Andre Protas of Apple1
Vineet Kumar1
Alyssa Herrera1
Jamie (James C.) Davis of Virginia Tech1
ALI WAMIM KHAN1
Nenad Borovčanin1
Cameron Dawe1
Kamil Sevi1
Sumit Sahoo1
Richo Healey1
Andrea Palazzo (Truel IT)1
Kai Lu and Xiaopeng Zhang of Fortinet's FortiGuard Labs1
Christian Hansen1
Jason King1
Daniel Isaac Khan Ramiro1
joev@metasploit.com1
Florian Gaultier1
Gerd Jungbluth1
Will Urbanski1
Yury Maryshev1
Mikhail Firstov1
HD Moore1
Md. Nur A Alam Dipu1
Omar Amin1
Hugo Ferrando Seage1
Raghotham Mruthike from DeskNine2
Recognition Points
Suhas Sunil Gaikwad10
Mehedi Hasan (SecMiners BD)8
Pritam Mukherjee8
Bhavya Jain8
Taha Smily8
David Calligaris8
Rich Mirch8
Mitch Wasson of Cisco's Advanced Malware Protection Group8
Philippe Jacquot8
Simon Budail-Essard8
Henri Salo from Nixu Corporation0
Pankaj Kumar Thakur*
@SecurityMate*
Mohsin Khan*
Mohd.Danish Abid*
Dristant Uprety*
Emad Al-Mousa*
Mohammad Hosein Askari*
Kyle Martin*
Abdul Rehman Tariq*
Tony Yesudas*
Soundar.M*
Feng Xiao from Georgia Tech*
Will Ashworth*
Ketan Madhukar Mukane*
Sicheng Liu of Beijing DBSEC Technology Co., Ltd*
Arbazz Hussain*
Andre Protas of Apple*
Vineet Kumar*
Alyssa Herrera*
Jamie (James C.) Davis of Virginia Tech*
ALI WAMIM KHAN*
Nenad Borovčanin*
Cameron Dawe*
Kamil Sevi*
Sumit Sahoo*
Richo Healey*
Andrea Palazzo (Truel IT)*
Kai Lu and Xiaopeng Zhang of Fortinet's FortiGuard Labs*
Christian Hansen*
Jason King*
Daniel Isaac Khan Ramiro*
joev@metasploit.com*
Florian Gaultier*
Gerd Jungbluth*
Will Urbanski*
Yury Maryshev*
Mikhail Firstov*
HD Moore*
Md. Nur A Alam Dipu*
Omar Amin*
Hugo Ferrando Seage*
Raghotham Mruthike from DeskNine*
* These reporters were added to the hall of fame prior to the new revamped policy.