If you haven’t heard about the Apache Pinot® vulnerabilities announced last week by Doyensec, then let me be the first to tell you that they exist. Their blog post goes into detail about how the exploits work, but in short, there are three vulnerabilities: 1. Parsing of the OPTIONS() clause. This is a SQL injection vulnerability of medium severity that is in the process of being addressed right now. 2. The timeout bug. An attacker can cause Pinot Server CPU usage to spike, thus denying service to clients. This is a medium-severity vulnerability that will be fixed in a near-future release. 3. Groovy Remote Code Execution. This is a severe vulnerability. The change disabling Groovy by default is already merged, and will be in the 0.11.0 release. If you are running any current or previous release of Pinot, you should disable Groovy. Now, I’m a Pinot community member, and not a committer to the project myself. I’m relaying a summary of conversations I’ve had with folks on the PMC to get a sense of the issues and what the community can expect going forward. Of course, ultimately this is for the Pinot release process to determine. You can stay apprised of releases on GitHub. I do need to say that it’s unfortunate the community had to learn about this from a blog post rather than a responsible disclosure to the Pinot PMC. Security research is an enormously valuable (and, we can all agree, quite cool) endeavor, but for it to make our systems more secure rather than sowing the chaos of zero-days into the wild, responsible disclosure is key. The Apache Software Foundation has published guidelines for how to disclose vulnerabilities. If the health of the Pinot community and Pinot itself is important to you, I personally urge you to follow these and insist that others do. Good behavior arguably emerges from a combination of economic incentives and shared norms, and this is a norm I think most of us can agree to share.