Skip to content

Security: Aed-p/ClickHouse

Security

SECURITY.md

ClickHouse Security Vulnerability Response Policy

Security Change Log and Support

Details regarding security fixes are publicly reported in our security changelog. A summary of known security vulnerabilities is shown at the bottom of this page.

Vulnerability notifications pre-release or during embargo periods are available to open source users and support customers registered for vulnerability alerts. Refer to our Embargo Policy below.

The following versions of ClickHouse server are currently supported with security updates:

Version Supported
24.9 ✔️
24.8 ✔️
24.7 ✔️
24.6
24.5
24.4
24.3 ✔️
24.2
24.1
23.*
22.*
21.*
20.*
19.*
18.*
1.*

Reporting a Vulnerability

We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community. All reports are thoroughly investigated by developers.

To report a potential vulnerability in ClickHouse please send the details about it through our public bug bounty program hosted by Bugcrowd and be rewarded for it as per the program scope and rules of engagement.

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in ClickHouse
  • You are unsure how a vulnerability affects ClickHouse

When Should I NOT Report a Vulnerability?

  • You need help tuning ClickHouse components for security
  • You need help applying security related updates
  • Your issue is not security related

Security Vulnerability Response

Each report is acknowledged and analyzed by ClickHouse maintainers within 5 working days. As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

Public Disclosure Timing

A public disclosure date is negotiated by the ClickHouse maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect the report date to disclosure date to be on the order of 7 days.

Embargo Policy

Open source users and support customers may subscribe to receive alerts during the embargo period by visiting https://trust.clickhouse.com/?product=clickhouseoss, requesting access and subscribing for alerts. Subscribers agree not to make these notifications public, issue communications, share this information with others, or issue public patches before the disclosure date. Accidental disclosures must be reported immediately to trust@clickhouse.com. Failure to follow this policy or repeated leaks may result in removal from the subscriber list.

Participation criteria:

  1. Be a current open source user or support customer with a valid corporate email domain (no @gmail.com, @azure.com, etc.).
  2. Sign up to the ClickHouse OSS Trust Center at https://trust.clickhouse.com.
  3. Accept the ClickHouse Security Vulnerability Response Policy as outlined above.
  4. Subscribe to ClickHouse OSS Trust Center alerts.

Removal criteria:

  1. Members may be removed for failure to follow this policy or repeated leaks.
  2. Members may be removed for bounced messages (mail delivery failure).
  3. Members may unsubscribe at any time.

Notification process: ClickHouse will post notifications within our OSS Trust Center and notify subscribers. Subscribers must log in to the Trust Center to download the notification. The notification will include the timeframe for public disclosure.

There aren’t any published security advisories