By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

This remains at the discretion of Grafana to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Grafana to award.

Terms and Conditions

1. Participants must follow the following guidelines in order to be eligible to receive any payouts pursuant to this Program:
   • Only testing of In-Scope products detailed in the section titled “Scope” is allowed;
   • Do not disclose any issue publicly before a fix has been released by Grafana Labs (even if you have already received the reward);
   • Participants may at no time disrupt any Grafana Labs service;
   • Participants may not access any accounts or data other than their own;
   • Do not post attachments or Proof Of Concepts (POCs) on a 3rd party website, instead participants must include them in the report;
   • Participants must comply with all applicable laws;
   • Submissions must be made in English;
   • All actions must be performed strictly during participation in the Program and in adherence with this Policy; and
   • All actions must be performed as good faith security research, with the intent to report to Grafana Labs
2. All payouts made pursuant to this policy shall be calculated and paid at the sole discretion of Grafana Labs. All payments made by Grafana Labs are final and binding. Participants in this program shall be solely responsible for the payment of all applicable taxes.
3. In order to receive their payouts, participants will need to submit personal information to Intigriti.
4. Grafana Labs reserves the right to change the rules of this program at any time in its sole discretion.
5. By providing a report to Grafana Labs pursuant to this policy, you grant Grafana Labs an irrevocable, perpetual, royalty free, transferable, worldwide license to use and exploit the report.
6. Any report can be made public at the discretion of Grafana Labs.
7. Eligibility of Participants to participate in the Program shall be determined at the sole discretion of Grafana Labs. Individuals located in any country subject to a U.S. embargo or listed on any sanctioned persons list shall not be permitted to participate.
8. Safe harbor: Activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you for breach of any applicable license provisions. Note that you are still responsible for compliance with any local laws, and that this safe harbor does not extend to breach of any laws applicable to you.
9. Current or former (in the last 12 months) Grafana Labs employees and contractors are not permitted to participate in this program.
10. We target an initial response to requests within 1 business day and triage within 2 business days. Payouts should happen as soon as the vulnerability is confirmed (i.e. at triage time). Payouts are based on CVSS score and bonus points and are calculated by Grafana Labs in its sole discretion.
11. Grafana Labs reserves the right to make a determination of whether a violation of this policy is accidental or in good faith. When in doubt, please contact us at legal@grafana.com.
12. Governing Law; Limitation of Liability: The law that will apply in any dispute or lawsuit arising out of or in connection with this Program, and the courts that have jurisdiction over any such dispute or lawsuit will be New York, USA. In no event shall Grafana Labs be liable for any damages relating to the Program greater than USD$1,000.

Grafana

• Latest released version of Grafana OSS: https://github.com/grafana/grafana

Databases

• Latest released version of https://github.com/grafana/loki
• Latest released version of https://github.com/grafana/mimir
• Latest released version of https://github.com/grafana/tempo
• Latest released version of https://github.com/grafana/pyroscope

Repository Vulnerabilities and Misconfigurations

Limited to vulnerabilities related to repository management, GitHub Actions misconfigurations, and access controls, excluding code-level issues. Submissions should demonstrate practical exploitation paths where weaknesses in repository or CI/CD settings could be used to compromise security.

All testing and demonstrations should be done in a private environment if possible, such as in a mirror of the repository to prevent public exposure of any vulnerabilities.

Some examples include:

• Bypassing intended access controls in CI/CD workflows, limited to GitHub Actions (e.g., allowing unauthorized access to secrets, cloud resources, affecting builds other than your own, or data through misconfigured pipelines).
• Central misconfigurations in the setup of identity and access systems (e.g., incorrect Workload Identity Federation configurations that expose cloud resources).
• Exploitable misconfigurations where pull requests, under certain conditions, can improperly interact with external resources (e.g., unauthorized writes to object storage buckets).
• Accidental or improper configurations that allow unauthorized users to push or merge code in a way that compromises the CI/CD pipeline or repository.
• Scenarios where attacker-controlled inputs (e.g., environment variables) can influence the behavior of CI workflows, leading to unauthorized actions or access to sensitive data.
• Exploiting flaws in CI workflows that could allow malicious code execution, especially in contexts where such actions could cause harm, such as access to sensitive environments or data leakage.

Security Hall of Fame

For all valid vulnerabilities, we will ask if you want to be added to Grafana Labs Security Hall of Fame with any associated CVE and vulnerability details.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here

!! Please read carefully !!

Grafana

• Users with the Viewer role can enter any possible query in any of the data sources available in the organization. Any reports of SSRF against the /dsproxy endpoint must show a breakage of the RBAC controls to be valid.
• Data sources that have been deliberately manipulated to exploit a weakness. Grafana does not sanitize or manipulate data stored in a data source.
• Vulnerabilities that require a feature toggle to be enabled.
• Community created plugins and apps are out-of-scope.
• For Viewers, a valid DoS vulnerability must have a non-temporary impact on performance.
  • For Editors, a valid DoS vulnerability must provide significant additional leverage beyond what an editor can do by design.
  • DoS attacks by administrators are fully out-of-scope.

Databases (Mimir, Loki, Tempo & Pyroscope)

• Authentication Issues - the databases does not come with any authentication layer. Operators are expected to run an authenticating reverse proxy in front of the services.
• DoS/DDoS or brute force attacks.
• Local privilege escalation (like DLL hijacking)

Repository Vulnerabilities and Misconfigurations

• Code-level issues (e.g. dependency confusion)
• Drone CI workflows
• Circle CI workflows

Generic Out of Scope

Reports about security weaknesses with no proven impact will be processed as public issues and not be eligible for a reward. This category includes but is not limited to:

• Automated scanning or reporting of any kind
• CVE in an outdated dependency
• Defense in depth option not implemented (e.g. missing cookie attribute or HTTP header, clickjacking included)
• Secure coding best practice not used
• TLS configuration with older ciphersuites
• Host enumeration (e.g. via Semi-blind SSRF)
• CSRF with only an Availability impact
• Self exploitation (e.g. Self XSS or token reuse)
• Pre-Auth Account takeover/OAuth squatting
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• HTML-injection without proven impact
• Username/email enumeration
• Email bombing
• Homograph attacks
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Arbitrary file upload without proof of the existence of the uploaded file

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Spam, social engineering and physical intrusion
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty

This program follows Intigriti's contextual CVSS standard

Where can we get credentials for the app?

The default admin credentials for Grafana is admin:admin
Make sure to create additional users in Grafana with different permissions, such as Editor and Viewer.

How can I contact you?

Feel free to join our public community Slack Channel.