Don’t Get Left Behind in the AI Race: Your Easy Starting Point is Here

The Cloudera Security Response Team provides a single point of contact for customers and the community to report and provide information on security vulnerabilities in Cloudera products. The team works internally with Cloudera's Engineering and Support organizations as well as the external Apache community to identify, fix, and communicate security vulnerabilities in all Cloudera products.

How to report a vulnerability

Cloudera strongly encourages customers and the community to report security vulnerabilities to our Security Response Team before disclosing them in a public forum. If you are not a current Cloudera customer, please email security@cloudera.com to report a vulnerability. If you are a Cloudera customer, please create a support case through MyCloudera. Be sure to include details on the version of software you are using and the hardware that it's running on. For any vulnerabilities found on www.cloudera.com or affiliated websites please include the full URL of the site/page where the vulnerability can be reproduced.

Please refrain from sending us reports about the following vulnerabilities:

  • General low severity issues reported by automated scanners

    • Missing Security Headers (eg. HSTS, CSP, SPF, DMARC)

    • Missing Flags on Cookies

    • SSL issues (weak ciphers/key-size)

    • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact

    • Clickjacking

    • Other general low severity issues reported by automated scanners

  • Rate Limiting (unless it constitutes a significant risk)

  • Attacks requiring MITM or physical access to a user's device

  • Previously known vulnerable libraries without a working Proof of Concept

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Software version disclosure / Banner identification issues

To submit your report securely to Cloudera, please use the GPG key below.

KEY FINGERPRINT

 

GPG PUBLIC KEY BLOCK

Copy and paste the key below:

Information on known vulnerabilities and issues

All known vulnerabilities are listed in the Cloudera Security Bulletin and in the release notes for the product and version where they are fixed. In addition, all Cloudera vulnerabilities are reported to the National Vulnerability Database and have an assigned CVE number.

Cloudera Security Bulletins

Current known security issues for CM and CDH can be found in the Cloudera Security Bulletin.

Bug Bounty Policy

Cloudera does not currently offer a Bug Bounty for any product or website vulnerabilities.

Handling security vulnerabilities

Click here to learn more about how Cloudera handles security vulnerabilities.

Your form submission has failed.

This may have been caused by one of the following:

  • Your request timed out
  • A plugin/browser extension blocked the submission. If you have an ad blocking plugin please disable it and close this message to reload the page.