We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community in general and Altinity in particular. All reports are thoroughly investigated by developers.

To report a potential vulnerability, send the details of the potential vulnerability to [email protected].

• You think you discovered a potential security vulnerability in an Altinity Stable Build
• You are unsure how a vulnerability affects ClickHouse or an Altinity Stable Build

• You need help tuning your system for security
• You need help applying security related updates
• Your issue is not security related

Each report sent to Altinity is acknowledged and analyzed within five working days. The result of our analysis may be to pass the report on to ClickHouse.com, at which point their security policies apply.

If the vulnerability is verified as a threat and it applies only to code maintained by Altinity, a public disclosure date will be negotiated by Altinity and the bug submitter. We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the vulnerability, fix, or mitigation is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect the report date to disclosure date to be on the order of 7 days.

The following versions of Altinity Stable Builds are currently being supported with security updates:

©2024 Altinity Inc. All rights reserved. Altinity®, Altinity.Cloud®, and Altinity Stable Builds® are registered trademarks of Altinity, Inc. ClickHouse® is a registered trademark of ClickHouse, Inc.