Dashboard: the website hosted at https://turbopuffer.com/dashboard, including
the authentication process and the process of managing API keys.
Database: the turbopuffer database API.
Client SDKs: the turbopuffer client libraries, which can be found on our GitHub.
Our focus is on unauthorized access to user data.
Out of Scope
The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions.
CSRF on forms that are available to anonymous users or forms with no sensitive actions.
Flags on cookies that are not sensitive.
TLS, DNS, and security header configuration suggestions on the marketing website.
Any activity that could lead to denial of service (DoS) by sending a flood of requests.
How to Report
If you believe you have found a vulnerability, please submit your findings to security@turbopuffer.com.
To expedite triage and resolution, please include:
A detailed description of the vulnerability.
How you found the vulnerability, including any relevant software you used.
Steps to reproduce the vulnerability, or a working proof-of-concept.
If your report is clear and in scope, you can expect a timely
response. We will update you when the vulnerability has been validated, when
more information is needed from you, or when you have qualified for a bounty.
We do not yet have a standardized framework for determining monetary rewards,
and are currently assessing rewards on a case-by-case basis.
Program Policy
To promote the security of our platform, we ask that you:
Allow us reasonable time to respond to the report before disclosing any
information about it publicly, and collaborate with us to make reports
public.
Do not access or modify our data or our users' data, unless you have explicit
permission of the owner. Only interact with your own accounts for security
research purposes.
If you do inadvertently encounter user data, contact us immediately. Do not
view, alter, save, store, transfer, or otherwise access the data, and
immediately purge the data from your machine.
Act in good faith to avoid violating privacy, destroying data, or otherwise
disrupting our services.
Do not attempt any form of social engineering (e.g. phishing, smishing).
Comply with all applicable laws.
Safe Harbor
Activities conducted in a manner consistent with this policy will be considered
authorized conduct and we will not initiate legal action against you. If legal
action is initiated by a third party against you in connection with activities
conducted under this policy, we will take steps to make it known that your
actions were conducted in compliance with this policy.
