If you discover a security vulnerability in XTDB, please report it privately to the XTDB team at security@xtdb.com.
Please do not file public GitHub issues for security concerns, even if you believe they are minor or low impact.
If you prefer to encrypt your message, you can use @jarohen's Keybase profile to find the appropriate PGP key.
We support coordinated disclosure and ask that you give us an opportunity to investigate and address the issue before disclosing it publicly.
You may also report issues using the GitHub security advisory workflow. This allows private reporting and optional CVE publication via GitHub's interface.
We aim to:
- Acknowledge vulnerability reports within 48 hours
- Provide a resolution or mitigation within 90 days, depending on severity and complexity
We will keep you informed throughout the process and notify you when a fix is available.
The following XTDB versions receive security updates:
| Version | Status |
|---|---|
2.x |
✅ Supported |
1.24.x |
✅ Supported |
< 1.24.0 |
❌ Unsupported |
We recommend using the latest patch release in a supported series to receive security updates.
XTDB uses Dependabot to monitor upstream dependencies for known vulnerabilities. We actively maintain and upgrade critical libraries such as:
- Kotlin and Java platform dependencies
- Netty (for networking)
- Kafka client
- Cloud storage SDKs (e.g., AWS S3)
XTDB is designed for trusted environments. Specifically:
- XTDB nodes are expected to run behind firewalls
- Users are responsible for securing their object stores and transaction logs
- Authentication, access control, and network security are the responsibility of the deployment environment