Security at Crate.io
In our highly interconnected world, to care for IT security, safety, and data privacy is more important than ever. Everything we do at Crate.io has a special focus on security—including our core database product, CrateDB, our cloud offering CrateDB Cloud, our integrations, and our customer and partner support.
Reporting security issues
If you have any security concerns related to one of Crate.io's products, services, or websites, reach out to our security team at firstname.lastname@example.org.
Please, do not publish or disclose any of your concerns or findings publicly, and do not use our public issue trackers for these reports due to their sensitive nature. Thank you so much for your understanding.
You will hear back from us within one business day, and we'll keep you in the loop while investigating the reported issue.
Security in CrateDB
By default, CrateDB only allows access via the superuser
localhost. While this can be changed, it is highly discouraged, to keep the system as secure as possible.
In the enterprise version, SSL/TLS encryption can be enabled as documented. (The connections to CrateDB are not encrypted by default, since it requires valid x509 certificates).
Security in CrateDB Cloud
All the CrateDB Cloud services run via HTTPS or other encrypted protocols, following modern security best-practices. Customer clusters are only available via HTTPS and PostgreSQL's wire protocol with TLS encryption.