By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Program Rules

• Please do NOT publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so. You can send us a video as proof of concept, but remember to change its privacy settings to private.
• Perform testing only on in-scope assets and respect assets and activities which are out-of-scope. If unsure or need advice, contact us at security@domo.com.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
• Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• All newly published CVE submissions or 0-day vulnerabilities less than 30/60/90 days from patch release will not be accepted into this program.
• Provide an appropriate level of detail with reproducible steps so that the issue can be easily reproduced.
• Please include the HTTP requests/responses in the report. This will help us to search for duplicate reports using the endpoint and triage reports more effectively; include the vulnerable requests in the comment using markdown.
• Please be aware that all reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the fix is not applied.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Introduction

We are happy to announce our Vulnerability Disclosure Program! At Domo, we consider the security of our application and systems of utmost importance, and we therefore strive for the highest possible level of security. Despite the great care we take with respect to security, weaknesses can still remain. We ask you not to abuse a vulnerability, but to report the issue to us so that we can take the necessary measures.
Have you found a vulnerability in our product or in one of our other (online) systems? Then please report your findings to us as soon as possible through this portal. Working together with the security research community is an important part of our mission to ensure the security of our services and ensuring timely remediations.

We encourage you to refer to https://domo-support.domo.com/s/knowledge-base?language=en_US or any other available online public resources for thorough understanding of our features.

Domains

• All customer subdomains are strictly out of scope for testing (see Out of Scope section). So please only test your own instance that you signed up for. If you have any questions related to this then please reach out to us for clarification.

Functionalities/Expected Behavior/Risk Exceptions (LAST UPDATED: 10-06-2025)

• We are already aware of SSRF (XSPAs) in Connectors, Cloud Amplifier Integrations, Federated Datasets through error messages (unless you can escape containerized environments and demonstrate considerable impact).
• XSS in Pro-code-editor (api/apps/v1/designs) endpoint.
• Codeengine is containerized, therefore RCE is out of scope (unless elevated access control to the environment's expected access controls is demonstrated).
• It's expected that everyone can see every user's contact information including email addresses.
• Achievements (/api/content/v1/achievements/) are public because they are part of a user's public profile.
• User profiles are public within a given instance.
• The Projects and Tasks feature is also public unless you specifically create a private project.
• The Goals feature is public; there's no way to set your goals private.
• Sharing a Page with someone will grant Read access to all objects on that page.
• Domo treats Read on a card as Write - share a card and the recipient can edit the card. This flows down through the DataSource level.
• Sharing a Card will share the dataset.
• Certification Center (this feature is going to be sunsetted).
• /api/content/v2/groups/ is public.
• Please do not report as a vulnerability if you are able to sign up on the platform using your personal email address or through DNS/SMTP collaborator pingbacks (eg. Burp Collaborator) instead of the [required] business email. The product team is aware of this behavior and it does not pose any security risk.

Note: The above list is not exhaustive and will be updated regularly.

Application

• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact
• Missing Rate Limit on the login/authentication page

General

• In case that a reported vulnerability was already known to us from our own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Mobile

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions

This program follows Intigriti's triage standards based on the proof of concept.

Where can we get credentials for the app?

You can self-register on the application at https://www.domo.com/start/free .

Can I get a premium account?

No, in this VDP we are not providing premium accounts.