//
Detail Updates Leaderboard
Description

Grafana Labs is the company behind Grafana, Loki, Mimir and Tempo, the leading open source software for visualizing operational data. We are thrilled to invite you to participate in our bug bounty program in partnership with Grafana Labs' security team. Before beginning your research, we kindly request that you carefully review this program's scope. This will ensure that your efforts align with our objectives and that you receive proper compensation for any findings that meet the program's criteria. Happy hacking!

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
min. $
max. $
100
500
500
2,000
2,000
7,500
7,500
10,000
10,000
15,000
Tier 1
$100 - $15,000
Tier 2
min. $
max. $
10
100
100
750
750
1,750
1,750
3,000
3,000
5,000
Tier 2
$10 - $5,000

We may award a small bonus for out-of-scope reports, but only for valid high, critical, or exceptional severity findings. However, this is at the sole discretion of Grafana Labs.

Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of Grafana to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Grafana to award.

Terms and Conditions

  1. Participants must follow the following guidelines in order to be eligible to receive any payouts pursuant to this Program:
    • Only testing of In-Scope products detailed in the section titled “Scope” is allowed;
    • Do not disclose any issue publicly before a fix has been released by Grafana Labs (even if you have already received the reward);
    • Participants may at no time disrupt any Grafana Labs service;
    • Participants may not access any accounts or data other than their own;
    • Do not post attachments or Proof Of Concepts (POCs) on a 3rd party website, instead participants must include them in the report;
    • Participants must comply with all applicable laws;
    • Submissions must be made in English;
    • All actions must be performed strictly during participation in the Program and in adherence with this Policy; and
    • All actions must be performed as good faith security research, with the intent to report to Grafana Labs
  2. All payouts made pursuant to this policy shall be calculated and paid at the sole discretion of Grafana Labs. All payments made by Grafana Labs are final and binding. Participants in this program shall be solely responsible for the payment of all applicable taxes.
  3. In order to receive their payouts, participants will need to submit personal information to Intigriti.
  4. Grafana Labs reserves the right to change the rules of this program at any time in its sole discretion.
  5. By providing a report to Grafana Labs pursuant to this policy, you grant Grafana Labs an irrevocable, perpetual, royalty free, transferable, worldwide license to use and exploit the report.
  6. Any report can be made public at the discretion of Grafana Labs.
  7. Eligibility of Participants to participate in the Program shall be determined at the sole discretion of Grafana Labs. Individuals located in any country subject to a U.S. embargo or listed on any sanctioned persons list shall not be permitted to participate.
  8. Safe harbor: Activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you for breach of any applicable license provisions. Note that you are still responsible for compliance with any local laws, and that this safe harbor does not extend to breach of any laws applicable to you.
  9. Current or former (in the last 12 months) Grafana Labs employees and contractors are not permitted to participate in this program.
  10. We target an initial response to requests within 1 business day and triage within 2 business days. Payouts should happen as soon as the vulnerability is confirmed (i.e. at triage time). Payouts are based on CVSS score and bonus points and are calculated by Grafana Labs in its sole discretion.
  11. Grafana Labs reserves the right to make a determination of whether a violation of this policy is accidental or in good faith. When in doubt, please contact us at legal@grafana.com.
  12. Governing Law; Limitation of Liability: The law that will apply in any dispute or lawsuit arising out of or in connection with this Program, and the courts that have jurisdiction over any such dispute or lawsuit will be New York, USA. In no event shall Grafana Labs be liable for any damages relating to the Program greater than USD$1,000.
Domains
tier
type

Grafana Loki

Tier 1
Other

Grafana Mimir

Tier 1
Other

Grafana OSS

Tier 1
Other

Grafana Pyroscope

Tier 1
Other

Grafana Tempo

Tier 1
Other

https://github.com/grafana/*

Tier 2
Wildcard

Only repository misconfigurations for non-archived repositories are in scope - please read 'In scope' section below for detailed scope.

Non-Core Grafana Plugins

Other

Grafana Labs developed plugins not installed by default are accepted, but not eligible for a bounty.

Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

The default admin credentials for Grafana is admin:admin
Make sure to create additional users in Grafana with different permissions, such as Editor and Viewer.

How can I contact you?

Feel free to join our public community Slack Channel.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.