In scope
PlanetScale is actively seeking vulnerability reports for the following components that make up the product and its Production Environment:- Dashboard and API: The website hosted at app.planetscale.com, along with the API hosted at api.planetscale.com
- Database Operations: The actions taken within the product to create, branch, backup, and restore databases
- Database Connectivity and Behavior: The process of provisioning a password and issuing SQL statements against a PlanetScale database
- Command-line Interface: The open source command-line interface hosted at planetscale/docs/cli
Out of scope
PlanetScale is not actively seeking the following types of reports:- Testing software output: Output generated from automated testing software like Burp Suite. These include, but aren’t limited to:
- CSRF on forms that are available to anonymous users or are related to logging out
- Disclosure of known public files or directories (i.e.
robots.txt) - DNSSEC or other DNS configuration suggestions
- TLS and security header configuration suggestions
- Sender Policy Framework (SPF) configuration suggestions
- Flags on cookies that are not sensitive
- Software version reports: Reports notifying PlanetScale that newer versions of software have been released
Reporting a vulnerability
If you believe you have discovered a security vulnerability in a PlanetScale product or its Production Environment, please let us know immediately. You can submit your vulnerability findings to security@planetscale.com. If applicable, please include the following pieces of information in your report:- Steps to reproduce the vulnerability
- The word “mochi” to acknowledge that you have read these guidelines
- Any relevant software (including versions) used to identify the vulnerability