Supplementary vulnerability issue report document

src/.vuepress/sidebar_timecho/V1.3.x/en.ts

@@ -31,6 +31,7 @@ export const enSidebar = {
         { text: 'IoTDB Introduction', link: 'IoTDB-Introduction_timecho' },
         { text: 'Scenario', link: 'Scenario' },
         { text: 'Release History', link: 'Release-history_timecho' },
+        { text: 'Vulnerability submission', link: 'Vulnerability-submission' },
       ],
     },
     {

src/.vuepress/sidebar_timecho/V1.3.x/zh.ts

@@ -31,6 +31,7 @@ export const zhSidebar = {
         { text: '产品介绍', link: 'IoTDB-Introduction_timecho' },
         { text: '应用场景', link: 'Scenario' },
         { text: '发布历史', link: 'Release-history_timecho' },
+        { text: '漏洞提报', link: 'Vulnerability-submission' },
       ],
     },
     {

src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts

@@ -30,6 +30,7 @@ export const enSidebar = {
         { text: 'IoTDB Introduction', link: 'IoTDB-Introduction_timecho' },
         { text: 'Scenario', link: 'Scenario' },
         { text: 'Release History', link: 'Release-history_timecho' },
+        { text: 'Vulnerability submission', link: 'Vulnerability-submission' },
       ],
     },
     {

src/.vuepress/sidebar_timecho/V2.0.x/en-Tree.ts

@@ -30,6 +30,7 @@ export const enSidebar = {
         { text: 'IoTDB Introduction', link: 'IoTDB-Introduction_timecho' },
         { text: 'Scenario', link: 'Scenario' },
         { text: 'Release History', link: 'Release-history_timecho' },
+        { text: 'Vulnerability submission', link: 'Vulnerability-submission' },
       ],
     },
     {

src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts

@@ -30,6 +30,7 @@ export const zhSidebar = {
         { text: '产品介绍', link: 'IoTDB-Introduction_timecho' },
         { text: '应用场景', link: 'Scenario' },
         { text: '发布历史', link: 'Release-history_timecho' },
+        { text: '漏洞提报', link: 'Vulnerability-submission' },
       ],
     },
     {

src/.vuepress/sidebar_timecho/V2.0.x/zh-Tree.ts

@@ -30,6 +30,7 @@ export const zhSidebar = {
         { text: '产品介绍', link: 'IoTDB-Introduction_timecho' },
         { text: '应用场景', link: 'Scenario' },
         { text: '发布历史', link: 'Release-history_timecho' },
+        { text: '漏洞提报', link: 'Vulnerability-submission' },
       ],
     },
     {

src/UserGuide/Master/Table/IoTDB-Introduction/Vulnerability-submission.md

@@ -0,0 +1,56 @@
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+
+# Vulnerability submission
+
+To ensure the security and user experience of TimechoDB and related tools, we have established a standardized vulnerability response mechanism. If you discover any product vulnerabilities, please follow the process below to provide feedback. We will promptly follow up and keep you updated on the progress.
+
+### 1. Email Reporting Guidelines
+
+When using TimechoDB core products, related ecosystem components, or accompanying operation tools, if you identify security risks or functional abnormalities, please submit your feedback via the dedicated email address with the following requirements:
+
+- Reporting Email: **security@timecho.com**
+
+- To help us locate and verify vulnerabilities more efficiently, please include the following key information in your email:
+  - Core vulnerability details: affected product, module name, vulnerability scenario, description of the vulnerability phenomenon, and reproducible steps.
+  - If available, please attach screenshots, error logs, or other supporting materials, which will significantly improve verification efficiency.
+
+
+### 2. Verification Result Notification
+
+After receiving your report, we will complete the vulnerability verification as soon as possible and notify you of the results via the original reporting email. There are two specific scenarios:
+
+- **If the vulnerability is verified as "valid"**:
+  - The email will clearly inform you that the "vulnerability has been confirmed" and include the official CNNVD (National Information Security Vulnerability Database) submission guide (with official website link: [www.cnnvd.org.cn](https://www.cnnvd.org.cn/)).
+  - You can follow the guide to submit official vulnerability information to CNNVD.
+- **If the vulnerability is verified as "invalid" or "non-reproducible"**:
+  - If determined as "invalid": the email will clearly explain the reasons why the vulnerability is invalid.
+  - If determined as "non-reproducible": the email will inform you about what additional information is needed, such as more detailed reproduction steps.
+
+### 3. Follow-up Progress on Vulnerabilities**
+
+- If the reported vulnerability is confirmed as valid, you need to complete the official submission through the CNNVD website. When submitting, please fill in the following information as prompted on the webpage:
+  - Basic information: vulnerability name, affected product name, affected product version.
+  - Vulnerability details: complete vulnerability description.
+  - Vulnerability rating: according to official standards, assess the vulnerability level based on the difficulty of exploitation and the impact level after exploitation.
+
+- Fix Progress and Result Notification
+  - We will arrange the vulnerability repair team to address the issue based on its severity. Once the vulnerability is fixed and released in a new version, we will notify you via the original reporting email about the resolution status: fixed version number, version download/update links, etc., ensuring you can update promptly to mitigate risks.

src/UserGuide/Master/Tree/IoTDB-Introduction/Vulnerability-submission.md

@@ -0,0 +1,56 @@
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+
+# Vulnerability submission
+
+To ensure the security and user experience of TimechoDB and related tools, we have established a standardized vulnerability response mechanism. If you discover any product vulnerabilities, please follow the process below to provide feedback. We will promptly follow up and keep you updated on the progress.
+
+### 1. Email Reporting Guidelines
+
+When using TimechoDB core products, related ecosystem components, or accompanying operation tools, if you identify security risks or functional abnormalities, please submit your feedback via the dedicated email address with the following requirements:
+
+- Reporting Email: **security@timecho.com**
+
+- To help us locate and verify vulnerabilities more efficiently, please include the following key information in your email:
+  - Core vulnerability details: affected product, module name, vulnerability scenario, description of the vulnerability phenomenon, and reproducible steps.
+  - If available, please attach screenshots, error logs, or other supporting materials, which will significantly improve verification efficiency.
+
+
+### 2. Verification Result Notification
+
+After receiving your report, we will complete the vulnerability verification as soon as possible and notify you of the results via the original reporting email. There are two specific scenarios:
+
+- **If the vulnerability is verified as "valid"**:
+  - The email will clearly inform you that the "vulnerability has been confirmed" and include the official CNNVD (National Information Security Vulnerability Database) submission guide (with official website link: [www.cnnvd.org.cn](https://www.cnnvd.org.cn/)).
+  - You can follow the guide to submit official vulnerability information to CNNVD.
+- **If the vulnerability is verified as "invalid" or "non-reproducible"**:
+  - If determined as "invalid": the email will clearly explain the reasons why the vulnerability is invalid.
+  - If determined as "non-reproducible": the email will inform you about what additional information is needed, such as more detailed reproduction steps.
+
+### 3. Follow-up Progress on Vulnerabilities**
+
+- If the reported vulnerability is confirmed as valid, you need to complete the official submission through the CNNVD website. When submitting, please fill in the following information as prompted on the webpage:
+  - Basic information: vulnerability name, affected product name, affected product version.
+  - Vulnerability details: complete vulnerability description.
+  - Vulnerability rating: according to official standards, assess the vulnerability level based on the difficulty of exploitation and the impact level after exploitation.
+
+- Fix Progress and Result Notification
+  - We will arrange the vulnerability repair team to address the issue based on its severity. Once the vulnerability is fixed and released in a new version, we will notify you via the original reporting email about the resolution status: fixed version number, version download/update links, etc., ensuring you can update promptly to mitigate risks.

src/UserGuide/V1.3.x/IoTDB-Introduction/Vulnerability-submission.md

@@ -0,0 +1,56 @@
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+
+# Vulnerability submission
+
+To ensure the security and user experience of TimechoDB and related tools, we have established a standardized vulnerability response mechanism. If you discover any product vulnerabilities, please follow the process below to provide feedback. We will promptly follow up and keep you updated on the progress.
+
+### 1. Email Reporting Guidelines
+
+When using TimechoDB core products, related ecosystem components, or accompanying operation tools, if you identify security risks or functional abnormalities, please submit your feedback via the dedicated email address with the following requirements:
+
+- Reporting Email: **security@timecho.com**
+
+- To help us locate and verify vulnerabilities more efficiently, please include the following key information in your email:
+  - Core vulnerability details: affected product, module name, vulnerability scenario, description of the vulnerability phenomenon, and reproducible steps.
+  - If available, please attach screenshots, error logs, or other supporting materials, which will significantly improve verification efficiency.
+
+
+### 2. Verification Result Notification
+
+After receiving your report, we will complete the vulnerability verification as soon as possible and notify you of the results via the original reporting email. There are two specific scenarios:
+
+- **If the vulnerability is verified as "valid"**:
+  - The email will clearly inform you that the "vulnerability has been confirmed" and include the official CNNVD (National Information Security Vulnerability Database) submission guide (with official website link: [www.cnnvd.org.cn](https://www.cnnvd.org.cn/)).
+  - You can follow the guide to submit official vulnerability information to CNNVD.
+- **If the vulnerability is verified as "invalid" or "non-reproducible"**:
+  - If determined as "invalid": the email will clearly explain the reasons why the vulnerability is invalid.
+  - If determined as "non-reproducible": the email will inform you about what additional information is needed, such as more detailed reproduction steps.
+
+### 3. Follow-up Progress on Vulnerabilities**
+
+- If the reported vulnerability is confirmed as valid, you need to complete the official submission through the CNNVD website. When submitting, please fill in the following information as prompted on the webpage:
+  - Basic information: vulnerability name, affected product name, affected product version.
+  - Vulnerability details: complete vulnerability description.
+  - Vulnerability rating: according to official standards, assess the vulnerability level based on the difficulty of exploitation and the impact level after exploitation.
+
+- Fix Progress and Result Notification
+  - We will arrange the vulnerability repair team to address the issue based on its severity. Once the vulnerability is fixed and released in a new version, we will notify you via the original reporting email about the resolution status: fixed version number, version download/update links, etc., ensuring you can update promptly to mitigate risks.

src/UserGuide/dev-1.3/IoTDB-Introduction/Vulnerability-submission.md

@@ -0,0 +1,56 @@
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+
+# Vulnerability submission
+
+To ensure the security and user experience of TimechoDB and related tools, we have established a standardized vulnerability response mechanism. If you discover any product vulnerabilities, please follow the process below to provide feedback. We will promptly follow up and keep you updated on the progress.
+
+### 1. Email Reporting Guidelines
+
+When using TimechoDB core products, related ecosystem components, or accompanying operation tools, if you identify security risks or functional abnormalities, please submit your feedback via the dedicated email address with the following requirements:
+
+- Reporting Email: **security@timecho.com**
+
+- To help us locate and verify vulnerabilities more efficiently, please include the following key information in your email:
+  - Core vulnerability details: affected product, module name, vulnerability scenario, description of the vulnerability phenomenon, and reproducible steps.
+  - If available, please attach screenshots, error logs, or other supporting materials, which will significantly improve verification efficiency.
+
+
+### 2. Verification Result Notification
+
+After receiving your report, we will complete the vulnerability verification as soon as possible and notify you of the results via the original reporting email. There are two specific scenarios:
+
+- **If the vulnerability is verified as "valid"**:
+  - The email will clearly inform you that the "vulnerability has been confirmed" and include the official CNNVD (National Information Security Vulnerability Database) submission guide (with official website link: [www.cnnvd.org.cn](https://www.cnnvd.org.cn/)).
+  - You can follow the guide to submit official vulnerability information to CNNVD.
+- **If the vulnerability is verified as "invalid" or "non-reproducible"**:
+  - If determined as "invalid": the email will clearly explain the reasons why the vulnerability is invalid.
+  - If determined as "non-reproducible": the email will inform you about what additional information is needed, such as more detailed reproduction steps.
+
+### 3. Follow-up Progress on Vulnerabilities**
+
+- If the reported vulnerability is confirmed as valid, you need to complete the official submission through the CNNVD website. When submitting, please fill in the following information as prompted on the webpage:
+  - Basic information: vulnerability name, affected product name, affected product version.
+  - Vulnerability details: complete vulnerability description.
+  - Vulnerability rating: according to official standards, assess the vulnerability level based on the difficulty of exploitation and the impact level after exploitation.
+
+- Fix Progress and Result Notification
+  - We will arrange the vulnerability repair team to address the issue based on its severity. Once the vulnerability is fixed and released in a new version, we will notify you via the original reporting email about the resolution status: fixed version number, version download/update links, etc., ensuring you can update promptly to mitigate risks.