Skip to content

Security: estuary/examples

Security

SECURITY.md

Security Policy

Estuary is committed to the security of our platform and the safety of our customers. We appreciate the efforts of security researchers who help us maintain a secure product.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Preferred method: Use GitHub's built-in "Report a vulnerability" feature in the Security tab of the repository where the vulnerability exists. This keeps the report private and associated with the relevant codebase.

Alternatively, you can email security@estuary.dev — this is equally acceptable, especially for vulnerabilities that span multiple repositories or affect Estuary's infrastructure.

What to Include

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Proof-of-concept code, if available
  • Any plans or intentions for public disclosure

What to Expect

  • Acknowledgment within 2 business days of your report
  • Timeline and status updates after triage, with transparency about remediation progress
  • Open dialog to discuss the issue throughout the process
  • Notification when the vulnerability analysis has completed each stage of review
  • Credit after the vulnerability has been validated and fixed, if desired

Scope

This security policy applies to:

  • Estuary Flow platform and its components
  • Estuary-maintained open source repositories
  • Estuary's public-facing infrastructure

Safe Harbor

Estuary will not pursue legal action against individuals who submit vulnerability reports through our reporting channel, provided they:

  • Test systems without harming Estuary or its customers
  • Stay within the scope of the vulnerability disclosure program
  • Do not access, modify, or delete customer data
  • Adhere to applicable laws
  • Refrain from public disclosure before a mutually agreed-upon timeframe

Out of Scope

The following are not in scope for this policy:

  • Social engineering attacks against Estuary employees
  • Denial of service attacks
  • Physical security issues
  • Issues in third-party applications or services not maintained by Estuary

Additional Information

For Estuary's full Responsible Disclosure Policy, including our whistleblower provisions, please contact security@estuary.dev.

There aren’t any published security advisories