Addressing Security Vulnerabilities

Coordinated Disclosure

MongoDB is committed to the security of its products and the protection of customer data. Security researchers, customers, and partners are encouraged to report potential vulnerabilities or incidents related to MongoDB products to help ensure timely resolution.

MongoDB operates a bug bounty program through HackerOne, where eligible security researchers may receive monetary rewards for valid vulnerability reports. MongoDB’s security team reviews and validates all submissions in accordance with the company’s Vulnerability Disclosure Policy.

Further details on submitting a vulnerability report, including the current scope and rewards, can be found on the HackerOne program page.

For those who prefer not to participate in the bug bounty program, security vulnerabilities can also be submitted directly via the security bug form.

Program Scope

Security bugs or vulnerabilities found on any MongoDB products or tools may be reported via the security bug form. Please refer to the security-related information and configuration guidance below before submitting a new vulnerability.

The scope of MongoDB’s bug bounty program is MongoDB Owned Domains, MongoDB Free Tier Atlas, and a few MongoDB Shipped Products with exceptions (please refer to the Out of Scope section). For a detailed list of our scopes, please refer to the HackerOne program page. When submitting a report, if the asset involved is not explicitly called out in scope, it will not be eligible for bounty.

If the vulnerability falls outside of this immediate scope, you are encouraged to submit the vulnerability via MongoDB’s security bug form.

Out of Scope and Non Qualifying Reports

Please note that all evergreen endpoints (including staging) are out of scope of this program and not eligible for bounty.

• Public Jira Projects: We have multiple Jira Projects that have been intentionally made public. Please only submit Jira-related reports that involve sensitive information disclosure.
• Subdomain takeovers for out of scope domains
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Fewer than two stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
• Tabnabbing
• Open redirect; unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Artifactory issues
• Known false positives:
  • Content injection
  • Error Message
  • SCRAM-SHA1 authentication mechanism's login credentials disclosure
  • SPF record configuration on 10gen.com or mongodb.com
  • Server version disclosure
  • Information Disclosure on /secure/QueryComponent!Default.jspa endpoint
• Accepted Risks:
  • CSRF with minimal security implications i.e. CSRF on logout
  • CSRF Token Leak
  • JavaScript error
• Good practice settings:
  • CSP uses unsafe-inline, Missing Certificate Authority, Authorization Rule, Missing HSTS, Missing security headers, No X-Frame Options Header on developer.mongodb.com, Open redirect using Host header.
  • No X-Frame Options Header on developer.mongodb.com

Privacy

See MongoDB’s Legal Hub for our Privacy Policy and more information on our privacy program.

Disclosure

MongoDB, Inc. requests that security researchers do not publicly disclose any information regarding the vulnerabilities they discover or exploit the issue until the company has had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. MongoDB, Inc. takes all required security vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter. After validating an issue, MongoDB, Inc. coordinates public disclosure of the issue with the reporter in a mutually agreed timeframe and format.

Guidelines

• Security configuration
• Security Bulletin / CVEs

Contact Us

For support, please use the MongoDB Support Hub.