We take the security of UCX seriously and appreciate the efforts of security researchers and users to responsibly disclose any vulnerabilities.

Security update releases will only apply to the latest version of UCX and will not be backported. When a security update is released, it will be called out at the top of the version release notes.

If you discover a security vulnerability in UCX:

• DO NOT open a public GitHub issue.
• Please email us at [email protected] with:
  • A description of the vulnerability
  • Steps to reproduce it
  • Potential impact or affected components
• Alternatively, you can also share this information directly with your Databricks representative.

We will review your report promptly and work with you to verify and resolve the issue. We aim to acknowledge receipt of your report within 48 hours.

• Use the latest released version of UCX.
• Review UCX documentation for recommended configurations and operational security considerations.