Description

Grafana Labs is the company behind Grafana, Loki, Mimir and Tempo, the leading open source software for visualizing operational data. We are thrilled to invite you to participate in our bug bounty program in partnership with Grafana Labs' security team. Before beginning your research, we kindly request that you carefully review this program's scope. This will ensure that your efforts align with our objectives and that you receive proper compensation for any findings that meet the program's criteria. Happy hacking!

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
min. $
max. $
100
500
500
2,000
2,000
7,500
7,500
10,000
10,000
15,000
Tier 1
$100 - $15,000
Tier 2
min. $
max. $
10
100
100
750
750
1,750
1,750
3,000
3,000
5,000
Tier 2
$10 - $5,000
Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of Grafana to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Grafana to award.

Terms and Conditions

  1. Participants must follow the following guidelines in order to be eligible to receive any payouts pursuant to this Program:
    • Only testing of In-Scope products detailed in the section titled “Scope” is allowed;
    • Do not disclose any issue publicly before a fix has been released by Grafana Labs (even if you have already received the reward);
    • Participants may at no time disrupt any Grafana Labs service;
    • Participants may not access any accounts or data other than their own;
    • Do not post attachments or Proof Of Concepts (POCs) on a 3rd party website, instead participants must include them in the report;
    • Participants must comply with all applicable laws;
    • Submissions must be made in English;
    • All actions must be performed strictly during participation in the Program and in adherence with this Policy; and
    • All actions must be performed as good faith security research, with the intent to report to Grafana Labs
  2. All payouts made pursuant to this policy shall be calculated and paid at the sole discretion of Grafana Labs. All payments made by Grafana Labs are final and binding. Participants in this program shall be solely responsible for the payment of all applicable taxes.
  3. In order to receive their payouts, participants will need to submit personal information to Intigriti.
  4. Grafana Labs reserves the right to change the rules of this program at any time in its sole discretion.
  5. By providing a report to Grafana Labs pursuant to this policy, you grant Grafana Labs an irrevocable, perpetual, royalty free, transferable, worldwide license to use and exploit the report.
  6. Any report can be made public at the discretion of Grafana Labs.
  7. Eligibility of Participants to participate in the Program shall be determined at the sole discretion of Grafana Labs. Individuals located in any country subject to a U.S. embargo or listed on any sanctioned persons list shall not be permitted to participate.
  8. Safe harbor: Activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you for breach of any applicable license provisions. Note that you are still responsible for compliance with any local laws, and that this safe harbor does not extend to breach of any laws applicable to you.
  9. Current or former (in the last 12 months) Grafana Labs employees and contractors are not permitted to participate in this program.
  10. We target an initial response to requests within 1 business day and triage within 2 business days. Payouts should happen as soon as the vulnerability is confirmed (i.e. at triage time). Payouts are based on CVSS score and bonus points and are calculated by Grafana Labs in its sole discretion.
  11. Grafana Labs reserves the right to make a determination of whether a violation of this policy is accidental or in good faith. When in doubt, please contact us at legal@grafana.com.
  12. Governing Law; Limitation of Liability: The law that will apply in any dispute or lawsuit arising out of or in connection with this Program, and the courts that have jurisdiction over any such dispute or lawsuit will be New York, USA. In no event shall Grafana Labs be liable for any damages relating to the Program greater than USD$1,000.
Domains

Grafana Loki

Tier 1
Other

Grafana Mimir

Tier 1
Other

Grafana OSS

Tier 1
Other

Grafana Pyroscope

Tier 1
Other

Grafana Tempo

Tier 1
Other

https://github.com/grafana/*

Tier 2
Wildcard

Only repository misconfigurations for non-archived repositories are in scope - please read 'In scope' section below for detailed scope.

Non-Core Grafana Plugins

No bounty
Other

Grafana Labs developed plugins not installed by default are accepted, but not eligible for a bounty.

*.grafana.com

Out of scope
Wildcard

*.grafana.net

Out of scope
Wildcard
In scope

Grafana

Databases

Repository Vulnerabilities and Misconfigurations

Limited to vulnerabilities related to repository management, GitHub Actions misconfigurations, and access controls, excluding code-level issues. Submissions should demonstrate practical exploitation paths where weaknesses in repository or CI/CD settings could be used to compromise security.

All testing and demonstrations should be done in a private environment if possible, such as in a mirror of the repository to prevent public exposure of any vulnerabilities.

Some examples include:

  • Bypassing intended access controls in CI/CD workflows, limited to GitHub Actions (e.g., allowing unauthorized access to secrets, cloud resources, affecting builds other than your own, or data through misconfigured pipelines).
  • Central misconfigurations in the setup of identity and access systems (e.g., incorrect Workload Identity Federation configurations that expose cloud resources).
  • Exploitable misconfigurations where pull requests, under certain conditions, can improperly interact with external resources (e.g., unauthorized writes to object storage buckets).
  • Accidental or improper configurations that allow unauthorized users to push or merge code in a way that compromises the CI/CD pipeline or repository.
  • Scenarios where attacker-controlled inputs (e.g., environment variables) can influence the behavior of CI workflows, leading to unauthorized actions or access to sensitive data.
  • Exploiting flaws in CI workflows that could allow malicious code execution, especially in contexts where such actions could cause harm, such as access to sensitive environments or data leakage.

Security Hall of Fame

For all valid vulnerabilities, we will ask if you want to be added to Grafana Labs Security Hall of Fame with any associated CVE and vulnerability details.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here

Out of scope

!! Please read carefully !!

Grafana

  • Users with the Viewer role can enter any possible query in any of the data sources available in the organization. Any reports of SSRF against the /dsproxy endpoint must show a breakage of the RBAC controls to be valid.
  • Data sources that have been deliberately manipulated to exploit a weakness. Grafana does not sanitize or manipulate data stored in a data source.
  • Vulnerabilities that require a feature toggle to be enabled.
  • Community created plugins and apps are out-of-scope.
  • For Viewers, a valid DoS vulnerability must have a non-temporary impact on performance.
    • For Editors, a valid DoS vulnerability must provide significant additional leverage beyond what an editor can do by design.
    • DoS attacks by administrators are fully out-of-scope.

Databases (Mimir, Loki, Tempo & Pyroscope)

  • Authentication Issues - the databases does not come with any authentication layer. Operators are expected to run an authenticating reverse proxy in front of the services.
  • DoS/DDoS or brute force attacks.
  • Local privilege escalation (like DLL hijacking)

Repository Vulnerabilities and Misconfigurations

  • Code-level issues (e.g. dependency confusion)
  • Drone CI workflows
  • Circle CI workflows

Generic Out of Scope

Reports about security weaknesses with no proven impact will be processed as public issues and not be eligible for a reward. This category includes but is not limited to:

  • Automated scanning or reporting of any kind
  • CVE in an outdated dependency
  • Defense in depth option not implemented (e.g. missing cookie attribute or HTTP header, clickjacking included)
  • Secure coding best practice not used
  • TLS configuration with older ciphersuites
  • Host enumeration (e.g. via Semi-blind SSRF)
  • CSRF with only an Availability impact
  • Self exploitation (e.g. Self XSS or token reuse)
  • Pre-Auth Account takeover/OAuth squatting
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • HTML-injection without proven impact
  • Username/email enumeration
  • Email bombing
  • Homograph attacks
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Arbitrary file upload without proof of the existence of the uploaded file

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Spam, social engineering and physical intrusion
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

The default admin credentials for Grafana is admin:admin
Make sure to create additional users in Grafana with different permissions, such as Editor and Viewer.

How can I contact you?

Feel free to join our public community Slack Channel.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
104
average payout
$698
accepted submissions
9
total payouts
$4,882
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 5 days
avg. time to triage
< 3 days
Activity
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/10
Grafana
closed a submission
12/8
logo
muhammadwaseem
created a submission
12/8
logo
muhammadwaseem
created a submission