Vulnerability Disclosure Policy

Vulnerability disclosure philosophy

Talend accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. Talend defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.

Security researchers

Talend accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. Talend defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.

Overview

Before participating in Talend’s Vulnerability Disclosure Policy, conducting any testing of Talend networks, and prior to submitting a report, you must agree to abide by the terms and conditions found here and at Bugcrowd. Furthermore, at all times during your search and reporting of vulnerabilities, you agree to abide by the Talend Terms of Use, and you agree to have your information processed in accordance with Talend’s Privacy Policy. Failure to abide by the terms and conditions will result in the loss of being considered a security researcher under Talend’s program.

Scope

This policy applies to any digital assets owned, operated, or maintained by Talend, including public facing websites.

Our commitment to researchers

  • Trust. We maintain trust and confidentiality in our professional exchanges with security researchers.
  • Respect. We treat all researchers with respect and recognize your contribution for keeping our customers safe and secure.
  • Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.
  • Common Good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.

What we ask of researchers

  • Trust. We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for our team to validate and address potential issues.
  • Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Common Good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Talend will deem the submission as noncompliant with this Vulnerability Disclosure Policy.

In addition

  • You must not reside in a country currently on any sanction or embargoed country list where Talend is established.
  • The reported vulnerability must be original. The first person to submit a valid report shall be credited.
  • You must not be the author of the vulnerable code.
  • You must not attempt brute force attacks, denial of service attacks, or user credential harvesting.
  • You must not utilize social engineering of our employees and contractors to leverage exploitation of any kind is considered out of scope.
  • In the event of disclosure of personal data of another person, you are directed to cease the affecting activity, document steps to replicate, and submit the report as soon as possible.
  • If you have discovered a vulnerability, do not disclose details of your findings publicly or to a third-party.
  • Bounty payouts are subject to taxes of your country of residence and you are responsible for any tax implications.

Information you receive or collect about Talend or its affiliates through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information").

Vulnerability reporting

Talend recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Talend (or that would reasonably impact the security of Talend and our users) using the web form below. The Talend Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.