Vulnerability disclosure

In scope

PlanetScale is actively seeking vulnerability reports for the following components that make up the product and its Production Environment:

• Dashboard and API: The website hosted at app.planetscale.com, along with the API hosted at api.planetscale.com
• Database Operations: The actions taken within the product to create, branch, backup, and restore databases
• Database Connectivity and Behavior: The process of provisioning a password and issuing SQL statements against a PlanetScale database
• Command-line Interface: The open source command-line interface hosted at planetscale/cli

Out of scope

PlanetScale is not actively seeking the following types of reports:

• Testing software output: Output generated from automated testing software like Burp Suite. These include, but aren't limited to:
  • CSRF on forms that are available to anonymous users or are related to logging out
  • Disclosure of known public files or directories (i.e. robots.txt)
  • DNSSEC or other DNS configuration suggestions
  • TLS and security header configuration suggestions
  • Sender Policy Framework (SPF) configuration suggestions
  • Flags on cookies that are not sensitive
• Software version reports: Reports notifying PlanetScale that newer versions of software have been released

Reporting a vulnerability

If you believe you have discovered a security vulnerability in a PlanetScale product or its Production Environment, please let us know immediately. You can submit your vulnerability findings to security@planetscale.com.

If applicable, please include the following pieces of information in your report:

• Steps to reproduce the vulnerability
• The word "mochi" to acknowledge that you have read these guidelines
• Any relevant software (including versions) used to identify the vulnerability

Need help?

Get help from the PlanetScale support team, or join our GitHub discussion board to see how others are using PlanetScale.