Vulnerability Disclosure Policy

Version 1.1, updated March 2025

Datalust is committed to building secure, trustworthy products and services. A cornerstone of that trust is our prompt fixing and disclosure of known security vulnerabilities in our products, whether those vulnerabilities are reported by third parties or discovered internally by us. This policy sets out how Datalust handles this process.

Scope

This policy specifically applies to:

• The Seq product, and
• Open source projects hosted by the datalust GitHub organization.

If you have found an issue in a related project not listed here, or in a web site or service operated by Datalust, please use the reporting mechanism discussed below. We welcome all reports, and will follow mitigation and disclosure processes appropriate to the software and data involved.

Principles

In responding to security issues, we will prioritize our customers' security over other business interests.

Datalust adheres to coordinated disclosure principles, also known as "responsible disclosure". Upon discovery of a vulnerability, our aim is to supply security fixes to our customers as swiftly possible, while allowing a reasonable window for fixes to be applied before disclosing further information that could be used by malicious parties.

After the fix window elapses, Datalust will in most cases publish detailed information about the vulnerability, as this helps customers assess our security efforts and improve the security of their Seq deployments. We believe that suppressing vulnerability information only benefits attackers, who are generally sufficiently motivated to find this information for themselves.

Where to report issues

Please report security-relevant issues by email to [email protected]. If you wish, you may encrypt your communication using our PGP key (fingerprint 8E1D82F2E580F618A0B79A06D97D54B105C3DF22).

Datalust requests that you do not share information regarding the vulnerability in any public forum until we have responded to the issue. Please do not raise issues on GitHub, post comments to our blog, or contact us through social media channels with security-related questions: all security-related communications should be directed solely to the email address above.

We do not currently offer monetary rewards for unsolicited security research on our products or open source projects.

Target disclosure timeline

1. As soon as possible upon receiving a vulnerability report or internally discovering a security-relevant issue, Datalust will triage according to likely impacts and commence any necessary investigations.
2. Within 24 hours of receiving a vulnerability report, Datalust will respond with an outlined course of action or follow-up questions if necessary.
3. Datalust will publish patches to all supported product versions within a time dictated by the severity classification assigned by Datalust:
   • For "high" and "critical" severity issues, within 7 days of receiving the report,
   • For "medium" severity issues, within 30 days, and
   • For "low" severity issues, within 90 days.
4. Within 24 hours of publishing patches:
   • A CVE will be requested, if this has not already occurred.
   • Datalust will raise an issue labeled security on the public Seq issue tracker with sufficient information to characterize the nature of the issue, including its CVSS score. If a CVE ID has been assigned at the time of publishing, the issue will include the assigned CVE ID and additional details associated with the CVE entry. If a CVE ID is not yet available at the time of publishing, the issue will be updated with this information as soon as a CVE ID is assigned.
   • For "high" and "critical" severity issues, Datalust will send a Seq Security Advisory by email to the registered account owners and purchasing contacts for all active Seq subscriptions.
5. 30 days after publishing patches, the issue tracking the vulnerability will be updated with a full issue description, and a postmortem review detailing the issue's disclosure timeline, Datalust's response, and any variations from the targets and procedures set out in this policy.

Note that this timeline is our target and not a guarantee. We aim to exceed the standard of responsiveness set here, but because we cannot foresee the nature of all possible issues, on occasion it may be necessary to modify these steps or work to an extended timeline. In those instances we will transparently communicate any variations to the original reporter, and include this information in our disclosure postmortem (5).

Patch distribution channels

For the Seq product, security updates should be expected via:

• The datalust.co/download web page
• The datalust/seq image on Docker Hub
• The datalust/seq image on AWS ECR

Other media such as package managers may incur additional publishing delays and should not be relied upon for timely security updates.

For Datalust's open source projects, the primary distribution channels for security updates are either or both of:

• The GitHub project's "releases" tab, and
• NuGet or NPM.

Monitoring vulnerabilities in Datalust products

There are two reliable channels for monitoring vulnerabilities in Datalust products:

• Subscribe to issues tagged security on the public Seq issue tracker, which is hosted by GitHub, and
• Subscribing to new CVEs for vendor "Datalust" in the public CVE database.

Following our target disclosure timeline, the public Seq issue tracker may be updated ahead of a CVE record becoming available.

Questions and feedback

We welcome your questions and feedback on this policy. Please contact our regular support address with your comments.