Introduction
We value our Open Source community and are taking steps to improve our security communications. We launched the ClickHouse Cloud Trust Center in 2022 which describes our security controls, compliance efforts, and enables customers to subscribe for updates to our program.
Today, we are excited to announce the launch of a Trust Center supporting ClickHouse Open Source Software (OSS)! Our ClickHouse OSS Trust Center is a one-stop shop for links to our Bug Bounty program, policies, and configurations. We will also leverage our Trust Center to send notifications of vulnerability fixes.
What benefits come with subscribing to our ClickHouse OSS Trust Center?
Our ClickHouse OSS vulnerability management program enables us to receive notifications of potential vulnerabilities through our Bug Bounty program, code scans, and reports from our contributors. We begin investigations within five (5) working days of receiving a notification. If a vulnerability is confirmed, we work to fully understand and classify the vulnerability, and then prioritize it for work.
Once remediation is available via a fix or configuration, we may take a couple of paths to let our community know. Where the fix is straightforward and the risk of exploit is lower, we add the fix to our security change log, update our public repository, and issue a Common Vulnerabilities and Exposures (CVE) record.
Fixes that may be more complex and have a higher risk of exploit qualify for our new Embargo Notification Program, where we will provide Trust Center subscribers advance notification before making the information public. There will usually be a short window between embargo notification and the additional steps to add the issue to our change log and issue a CVE.
What is the purpose of an embargo notification?
In the event that a vulnerability is not publicly or widely known and an exploit represents a high risk to our open-source users, we want to afford our users an opportunity to implement the fix before threat actors are made aware that the issue exists. It is both easy to enroll in the embargo notification program and easy to opt out should the notifications no longer be relevant to you.
CVE Reporting
To ensure vulnerability information is available as broadly as possible, we not only issue notifications and fixes through our Trust Center and Open Source repository, but are also proud participants in the CVE Numbering Authority (CNA) program. We ensure vulnerability information is made available through the CVE database with clear descriptions and remediation instructions. We also watch for relevant CVEs that are reported to ensure accurate classification, descriptions, and fixes.
How to subscribe
Want to know more or sign up for notifications? Visit us at the ClickHouse OSS Trust Center.