This version of the documentation is archived and no longer supported.

Vulnerability Notification

On this page

MongoDB values the privacy and security of all users of MongoDB, and every effort is made to ensure that MongoDB and related tools minimize risk exposure and increase the security and integrity of data and environments using MongoDB.


If you believe you have discovered a vulnerability in MongoDB or have experienced a security incident related to MongoDB, please report the issue so it can be avoided in future. All vulnerability reports should contain as much information as possible so that the issue can be resolved quickly. In particular, please include the following:

  • The name of the product.
  • Common Vulnerability information, if applicable, including:
    • CVSS (Common Vulnerability Scoring System) Score.
    • CVE (Common Vulnerability and Exposures) Identifier.
  • Contact information, including an email address and/or phone number, if applicable.

All vulnerability notifications are responded to within 48 hours.

Jira is the perferred method of communication regarding MongoDB.

Submit a ticket in the Core Server Security” project, at: <>. The ticket number will become reference identification for the issue for the lifetime of the issue, and you can use this identifier for tracking purposes.

MongoDB, Inc. will respond to any vulnerability notification received in a Jira case posted to the SECURITY project.


While Jira is preferred, you may also report vulnerabilities via email to <>.

You may encrypt email using MongoDB’s‘ public key, to ensure the privacy of any sensitive information in your vulnerability report.

MongoDB, Inc. will respond to any vulnerability notification received via email with email which will contain a reference number (i.e. a ticket from the SECURITY project,) Jira case posted to the SECURITY project.


MongoDB, Inc. validates all submitted vulnerabilities and uses Jira to track all communications regarding the vulnerability, including requests for clarification and for additional information. If needed, MongoDB representatives can set up a conference call to exchange information regarding the vulnerability.


MongoDB, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, respond to the notification, and to notify key users, customers, and partners if needed.

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. MongoDB, Inc. takes all required vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter of the vulnerability.

After validating the issue, MongoDB, Inc. will coordinate public disclosure of the issue with the reporter in a mutually agreed timeframe and format. If required or requested, the reporter of a vulnerability will receive credit in the published security bulletin.