Responsible Vulnerability Disclosure (RVD) Policy

Teradata is committed to maintaining the security and integrity of our systems and services and value the contributions of security researchers in helping us maintain a secure environment. Our RVD policy applies to all systems, applications, and services owned or operated by Teradata. Read the policy to understand what actions you should take if you discover a vulnerability.

1. Purpose

Teradata is committed to maintaining the security and integrity of our systems and services and value the contributions of security researchers in helping us maintain a secure environment. This Responsible Vulnerability Disclosure (RVD) Policy outlines our approach to receiving and addressing reports of vulnerabilities in our systems.

2. Scope

This policy applies to all systems, applications, and services owned or operated by Teradata, for example:

  • Web applications
  • APIs
  • Network Infrastructure
  • Mobile applications
  • Any systems, computers, applications, services, etc. owned by Teradata

3. Policy Detail

3.1 Types Of Security Research Prohibited

Teradata does not allow any research to be done on any Teradata systems listed in the Scope section of this policy.

The following activities are not allowed:

  1. Unauthorized Testing: Any form of testing without explicit authorization from Teradata.
  2. Exploitation: Exploiting vulnerabilities without explicit authorization from Teradata.
  3. Social Engineering: Attempting to manipulate employees, customers, or partners to gain unauthorized access without explicit authorization from Teradata.
  4. Physical Attacks: Any physical attacks against our facilities, equipment, or personnel without explicit authorization from Teradata.
  5. Denial of Service Attacks: Any attempts of Denial-of-Service attacks on Teradata without explicit authorization from Teradata.

Any such unauthorized activities may result in legal action.

3.2. Reporting Vulnerabilities Steps

If you discover a security vulnerability, please follow these steps.

  1. Submit a Report: Email our security team at information.security@teradata.com. Include a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence.
  2. Acknowledgment: Teradata will acknowledge receipt of your report.
  3. Investigation: Teradata will investigate the issue promptly.
  4. Resolution: Teradata commits to addressing valid vulnerabilities within a reasonable timeframe.
  5. Public Disclosure: Teradata requests that you do not publicly disclose the vulnerability until we have had sufficient time to address it and have received confirmation that it has been closed.

3.3. Actions And Associated Time Frame

Upon notification of a vulnerability, Teradata will promptly undertake the following steps.

  1. Acknowledgment: Within 15 business days.
  2. Initial Assessment: Within 10 business days.
  3. Resolution: Teradata aims to resolve critical vulnerabilities within a reasonable timeframe after completing the Initial Assessment. In the event that a reported vulnerability is confirmed, it will be handled as an incident in accordance with the documented Teradata Cybersecurity Incident Response Plan. Complex issues may take longer, but we will provide periodic communications to keep you informed of progress.

Teradata will involve our senior management and legal team to determine the appropriate course of action regarding disclosure and notifications as needed.

3.4. Recognition and Rewards

This program isn’t intended to represent a public bug bounty program, and Teradata doesn’t offer rewards or compensation for submitting potential issues.

3.5. Acknowledgment and Communication

Teradata will acknowledge receipt of a vulnerability report. We will then investigate the reported issue promptly and keep the reporter informed of our progress and any necessary steps.

3.6. Resolution And Disclosure

Teradata requests that you do not publicly disclose the vulnerability until we have had sufficient time to address it. Once a vulnerability has been verified and addressed, Teradata may notify the individual who reported the vulnerability and provide details of the resolution. Depending on the severity of the vulnerability and upon receiving advice from our legal counsel, Teradata may opt to issue a security advisory or update to inform our users about the issue and detail the measures implemented to address it.

3.7. Contact Information

For any questions or to report a vulnerability, please contact: information.security@teradata.com

4. Maintenance of Records

This Policy shall be retained in accordance with the Teradata Records Retention Policy.

5. Revision History

Last Update: 8/21/24