Create a Vulnerability Report创建漏洞报告

On this page本页内容

If you believe you have discovered a vulnerability in MongoDB products or have experienced a security incident related to MongoDB products, please report the issue to aid in its resolution.如果您认为您在MongoDB产品中发现了漏洞,或者遇到了与MongoDB产品相关的安全事件,请报告该问题以帮助解决。

To report an issue, we strongly suggest filing a ticket in the SECURITY project in JIRA. MongoDB, Inc responds to vulnerability notifications within 48 hours.为了报告问题,我们强烈建议在JIRA的安全项目中提交一张单据。MongoDB,Inc在48小时内响应漏洞通知。

Create the Report in JIRA用JIRA创建报告

Submit a Ticket in the Security project on our JIRA. 在JIRA安全项目提交一张票The ticket number will become the reference identification for the issue for its lifetime. You can use this identifier for tracking purposes.票证编号将成为发行期内的参考标识。您可以将此标识符用于跟踪目的。

Information to Provide提供的信息

All vulnerability reports should contain as much information as possible so MongoDB's developers can move quickly to resolve the issue. 所有漏洞报告都应该包含尽可能多的信息,以便MongoDB的开发人员能够迅速采取行动解决问题。In particular, please include the following:特别是,请包括以下内容:

  • The name of the product.产品的名称。
  • Common Vulnerability information, if applicable, including:常见漏洞信息(如适用),包括:
  • CVSS (Common Vulnerability Scoring System) Score.CVSS(通用漏洞评分系统)评分。
  • CVE (Common Vulnerability and Exposures) Identifier.CVE(常见漏洞和暴露)标识符。
  • Contact information, including an email address and/or phone number, if applicable.联系信息,包括电子邮件地址和/或电话号码(如适用)。

Send the Report via Email通过电子邮件发送报告

While JIRA is the preferred reporting method, you may also report vulnerabilities via email to security@mongodb.com.虽然JIRA是首选的报告方法,但您也可以通过电子邮件向security@mongodb.com报告漏洞。

You may encrypt email using MongoDB's public key at https://docs.mongodb.com/10gen-security-gpg-key.asc.您可以使用MongoDB的公钥对电子邮件进行加密,网址为:https://docs.mongodb.com/10gen-security-gpg-key.asc

MongoDB, Inc. responds to vulnerability reports sent via email with a response email that contains a reference number for a JIRA ticket posted to the SECURITY project.MongoDB,股份有限公司通过一封回复电子邮件回复通过电子邮件发送的漏洞报告,其中包含发布到安全项目的JIRA票据的参考号。

Evaluation of a Vulnerability Report评估脆弱性报告

MongoDB, Inc. validates all submitted vulnerabilities and uses Jira to track all communications regarding a vulnerability, including requests for clarification or additional information. MongoDB,Inc.验证所有提交的漏洞,并使用Jira跟踪有关漏洞的所有通信,包括请求澄清或补充信息。If needed, MongoDB representatives set up a conference call to exchange information regarding the vulnerability.如果需要,MongoDB代表会召开电话会议,交流有关该漏洞的信息。

Disclosure披露

MongoDB, Inc. requests that you do not publicly disclose any information regarding the vulnerability or exploit the issue until it has had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key users, customers, and partners.MongoDB,Inc.要求您在有机会分析漏洞、响应通知并通知关键用户、客户和合作伙伴之前,不要公开披露有关漏洞的任何信息或利用问题。

The amount of time required to validate a reported vulnerability depends on the complexity and severity of the issue. 验证报告的漏洞所需的时间取决于问题的复杂性和严重性。MongoDB, Inc. takes all required vulnerabilities very seriously and will always ensure that there is a clear and open channel of communication with the reporter.MongoDB,Inc.非常重视所有必需的漏洞,并将始终确保与记者有一个清晰、开放的沟通渠道。

After validating an issue, MongoDB, Inc. coordinates public disclosure of the issue with the reporter in a mutually agreed timeframe and format. 确认问题后,MongoDB,Inc.将按照双方商定的时间框架和格式与报告人协调问题的公开披露。If required or requested, the reporter of a vulnerability will receive credit in the published security bulletin.如果需要或要求,漏洞报告者将在发布的安全公告中获得信用。

←  Privilege ActionsAppendix →