Description

Domo provides a cloud-based Business Intelligence platform to more effectively enable users to collaborate and share real-time business data for decision makers across the company with minimal IT involvement.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
User-Agent: Intigriti - <username> - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
max. 5 requests /sec
X-Intigriti-Username: {your username}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

  • Please do NOT publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so. You can send us a video as proof of concept, but remember to change its privacy settings to private.
  • Perform testing only on in-scope assets and respect assets and activities which are out-of-scope. If unsure or need advice, contact us at security@domo.com.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • All newly published CVE submissions or 0-day vulnerabilities less than 30/60/90 days from patch release will not be accepted into this program.
  • Provide an appropriate level of detail with reproducible steps so that the issue can be easily reproduced.
  • Please include the HTTP requests/responses in the report. This will help us to search for duplicate reports using the endpoint and triage reports more effectively; include the vulnerable requests in the comment using markdown.
  • Please be aware that all reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the fix is not applied.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Assets
URL
No bounty
URL

This is Domo's main website. Visitors can find company details on different pages and allows anyone to sign up on the platform for a free trial. Everything after domo.com/* can be tested.

This is our customer community portal for discussions, technical support assistance, and knowledge base.

*.domosoftware.net

No bounty
Wildcard

There are some internal services hosted and managed by our DevOps team that would fall under this scope.

*.domotech.io

No bounty
Wildcard

There are some internal services hosted and managed by our DevOps team that would fall under this scope.

*.domolabs.io

No bounty
Wildcard

There are some internal services hosted and managed by our DevOps team that would fall under this scope.

Android

This is our main android app replicating the web environment covering all the features.

Android

Manage tasks on the go with Domo’s Task Center. Monitor, update, and submit tasks through your mobile device. Each task is generated by a workflow, representing a manual step in the process. Tasks are efficiently organized into queues for better categorization and enhanced access control.

Android

Domo Goals allows you to connect business insights to your people to ensure that everyone is aligned to meet your most important company goals, using the power of the Domo Business Cloud.

Domo’s Approvals App allows you to digitize and track all your company’s approval workflows in one centralized location, and empower business users to manage and automate the approval processes that they own.

No bounty
iOS

Domo Goals allows you to connect business insights to your people to ensure that everyone is aligned to meet your most important company goals, using the power of the Domo Business Cloud

No bounty
iOS

With Domo’s Approvals App, you can automate every approval process that your business requires and track, manage, and collect data on key decisions. It allows your teams to set up their approval workflows on the Domo platform in just minutes, and easily adjust the workflows as your business processes change.

No bounty
iOS

Manage task on the go with Domo’s Task Center. Monitor, update, and submit tasks through your mobile device. Tasks are efficiently organized into queues for better categorization and enhanced access control. Each task is generated by a workflow, representing a manual step in the process.

No bounty
iOS

Our iOS app is the exact replica of web environment built in flutter.

*.domo.com

Out of scope
Wildcard

We have thousands of customer subdomains ending in .domo.com and all such customer domains are strictly out of scope for testing. (Some examples are domo.domo.com, domo.demo.domo.com, "anycustomername.domo.com")

In scope

Introduction

We are happy to announce our Vulnerability Disclosure Program! At Domo, we consider the security of our application and systems of utmost importance, and we therefore strive for the highest possible level of security. Despite the great care we take with respect to security, weaknesses can still remain. We ask you not to abuse a vulnerability, but to report the issue to us so that we can take the necessary measures.
Have you found a vulnerability in our product or in one of our other (online) systems? Then please report your findings to us as soon as possible through this portal. Working together with the security research community is an important part of our mission to ensure the security of our services and ensuring timely remediations.

We encourage you to refer to https://domo-support.domo.com/s/knowledge-base?language=en_US or any other available online public resources for thorough understanding of our features.

Out of scope

Domains

  • Any domain that is not listed in the Domains section, is out of scope for this program.
  • All customer subdomains are strictly out of scope for testing, including other customer assets (such as leaked credentials, tokens, keys, etc) discovered on third party Github repositories or elsewhere.

Functionalities/Expected Behavior/Risk Exceptions (LAST UPDATED: 10-06-2025)

  • We are already aware of SSRF (XSPAs) in Connectors, Cloud Amplifier Integrations, Federated Datasets through error messages (unless you can escape containerized environments and demonstrate considerable impact).
  • XSS in Pro-code-editor (api/apps/v1/designs) endpoint.
  • Codeengine is containerized, therefore RCE is out of scope (unless elevated access control to the environment's expected access controls is demonstrated).
  • It's expected that everyone can see every user's contact information including email addresses.
  • Achievements (/api/content/v1/achievements/) are public because they are part of a user's public profile.
  • User profiles are public within a given instance.
  • The Projects and Tasks feature is also public unless you specifically create a private project.
  • The Goals feature is public; there's no way to set your goals private.
  • Sharing a Page with someone will grant Read access to all objects on that page.
  • Domo treats Read on a card as Write - share a card and the recipient can edit the card. This flows down through the DataSource level.
  • Sharing a Card will share the dataset.
  • Certification Center (this feature is going to be sunsetted).
  • /api/content/v2/groups/ is public.
  • Please do not report as a vulnerability if you are able to sign up on the platform using your personal email address or through DNS/SMTP collaborator pingbacks (eg. Burp Collaborator) instead of the [required] business email. The product team is aware of this behavior and it does not pose any security risk.

Note: The above list is not exhaustive and will be updated regularly.

Application

  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that can't be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks aren't sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact
  • Missing Rate Limit on the login/authentication page

General

  • In case that a reported vulnerability was already known to us from our own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Reports that state that software is out of date/vulnerable without a proof-of-concept

Mobile

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions
Severity assessment

This program follows Intigriti's triage standards based on the proof of concept.

FAQ

Where can we get credentials for the app?

You can self-register on the application at https://www.domo.com/start/free .

Can I get a premium account?

No, in this VDP we are not providing premium accounts.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
Overall stats
submissions received
3
average payout
N/A
accepted submissions
N/A
total payouts
N/A
Last 90 day response times
avg. time first response
< 4 hours
avg. time to triage
< 4 hours
Activity
6/28
DOMO
closed a submission
6/27
logo
mayankmukhi123
created a submission
6/27
DOMO
changed the assets
6/27
DOMO
changed the assets
6/27
DOMO
changed the assets
6/27
DOMO
closed a submission
6/27
DOMO
changed the out of scope
6/27
logo
shaaz
created a submission
6/27
DOMO
changed the assets
6/27
DOMO
changed the assets