# Vulnerability Disclosure

## In Scope

turbopuffer is seeking vulnerability reports for:

- Dashboard: the website hosted at https://turbopuffer.com/dashboard, including
  the authentication process and the process of managing API keys.
- Database: the turbopuffer database API.
- Client SDKs: the turbopuffer client libraries, which can be found on [our GitHub](https://github.com/orgs/turbopuffer/repositories).

Our focus is on unauthorized access to user data.

## Out of Scope

The following issues are considered out of scope:

- Clickjacking on pages with no sensitive actions.
- CSRF on forms that are available to anonymous users or forms with no sensitive actions.
- Flags on cookies that are not sensitive.
- TLS, DNS, and security header configuration suggestions on the marketing website.
- Any activity that could lead to denial of service (DoS) by sending a flood of requests.

## How to Report

If you believe you have found a vulnerability, please submit your findings to [security@turbopuffer.com](mailto:security@turbopuffer.com).

To expedite triage and resolution, please include:

- A detailed description of the vulnerability.
- How you found the vulnerability, including any relevant software you used.
- Steps to reproduce the vulnerability, or a working proof-of-concept.

If your report is clear and in scope, you can expect a timely
response. We will update you when the vulnerability has been validated, when
more information is needed from you, or when you have qualified for a bounty.
We do not yet have a standardized framework for determining monetary rewards,
and are currently assessing rewards on a case-by-case basis.

## Program Policy

To promote the security of our platform, we ask that you:

- Allow us reasonable time to respond to the report before disclosing any
  information about it publicly, and collaborate with us to make reports
  public.
- Do not access or modify our data or our users' data, unless you have explicit
  permission of the owner. Only interact with your own accounts for security
  research purposes.
- If you do inadvertently encounter user data, contact us immediately. Do not
  view, alter, save, store, transfer, or otherwise access the data, and
  immediately purge the data from your machine.
- Act in good faith to avoid violating privacy, destroying data, or otherwise
  disrupting our services.
- Do not attempt any form of social engineering (e.g. phishing, smishing).
- Comply with all applicable laws.

## Safe Harbor

Activities conducted in a manner consistent with this policy will be considered
authorized conduct and we will not initiate legal action against you. If legal
action is initiated by a third party against you in connection with activities
conducted under this policy, we will take steps to make it known that your
actions were conducted in compliance with this policy.


---

This page: [/docs/vdp.md](https://turbopuffer.com/docs/vdp.md)

All documentation pages: [/llms.txt](https://turbopuffer.com/llms.txt)

All documentation in one file: [/llms-full.txt](https://turbopuffer.com/llms-full.txt)