By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

This remains at the discretion of Grafana to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Grafana to award.

Terms and Conditions

1. Participants must follow the following guidelines in order to be eligible to receive any payouts pursuant to this Program:
   • Only testing of In-Scope products detailed in the section titled “Scope” is allowed;
   • Do not disclose any issue publicly before a fix has been released by Grafana Labs (even if you have already received the reward);
   • Participants may at no time disrupt any Grafana Labs service;
   • Participants may not access any accounts or data other than their own;
   • Do not post attachments or Proof Of Concepts (POCs) on a 3rd party website, instead participants must include them in the report;
   • Participants must comply with all applicable laws;
   • Submissions must be made in English;
   • All actions must be performed strictly during participation in the Program and in adherence with this Policy; and
   • All actions must be performed as good faith security research, with the intent to report to Grafana Labs
2. All payouts made pursuant to this policy shall be calculated and paid at the sole discretion of Grafana Labs. All payments made by Grafana Labs are final and binding. Participants in this program shall be solely responsible for the payment of all applicable taxes.
3. In order to receive their payouts, participants will need to submit personal information to Intigriti.
4. Grafana Labs reserves the right to change the rules of this program at any time in its sole discretion.
5. By providing a report to Grafana Labs pursuant to this policy, you grant Grafana Labs an irrevocable, perpetual, royalty free, transferable, worldwide license to use and exploit the report.
6. Any report can be made public at the discretion of Grafana Labs.
7. Eligibility of Participants to participate in the Program shall be determined at the sole discretion of Grafana Labs. Individuals located in any country subject to a U.S. embargo or listed on any sanctioned persons list shall not be permitted to participate.
8. Safe harbor: Activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you for breach of any applicable license provisions. Note that you are still responsible for compliance with any local laws, and that this safe harbor does not extend to breach of any laws applicable to you.
9. Current or former (in the last 12 months) Grafana Labs employees and contractors are not permitted to participate in this program.
10. We target an initial response to requests within 1 business day and triage within 2 business days. Payouts should happen as soon as the vulnerability is confirmed (i.e. at triage time). Payouts are based on CVSS score and bonus points and are calculated by Grafana Labs in its sole discretion.
11. Grafana Labs reserves the right to make a determination of whether a violation of this policy is accidental or in good faith. When in doubt, please contact us at legal@grafana.com.
12. Governing Law; Limitation of Liability: The law that will apply in any dispute or lawsuit arising out of or in connection with this Program, and the courts that have jurisdiction over any such dispute or lawsuit will be New York, USA. In no event shall Grafana Labs be liable for any damages relating to the Program greater than USD$1,000.

Introduction

Welcome! We are thrilled to invite you to participate in our bug bounty program in partnership with Grafana Labs' security team. Before beginning your research, we kindly request that you carefully review this program's scope. This will ensure that your efforts align with our objectives and that you receive proper compensation for any findings that meet the program's criteria. Happy hacking!

Getting started

Easiest way to get started is to run Grafana in a Docker container: docker run -p 3000:3000 grafana/grafana-oss:latest - then you will be able to access the Grafana web UI on http://localhost:3000 and login with admin:admin

Grafana binaries can be found here: https://grafana.com/grafana/download?pg=get&edition=oss
The source code for Grafana can be found here: https://github.com/grafana/grafana

Threat model

Taking the time to understand the threat model for Grafana will help you understand pain points and issues that are relevant. The way to do this is up to you, but here are tips and resources that might help you on the way:

1. Read carefully through the program specific Out of Scope and understand them well.
2. Familiarize yourself with the different roles and permissions.
3. Review the historic CVE, found here.
4. Read previous published bug reports, found here.

Security Hall of Fame

For all valid vulnerabilities, we will ask if you want to be added to Grafana Labs Security Hall of Fame with any associated CVE and vulnerability details.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here
Please note this form will be checked periodically and should not be used for submission or support queries.

Program Specifics - Please read carefully

• Users with the Viewer role can enter any possible query in any of the data sources available in the organization.
• Data sources that have been deliberately manipulated to exploit a weakness. Grafana does not sanitize or manipulate data stored in a data source.
• Vulnerabilities that require a feature toggle to be enabled.
• Community created plugins and apps are out-of-scope.
• For Viewers, a valid DoS vulnerability must have a non-temporary impact on performance.
  • For Editors, a valid DoS vulnerability must provide significant additional leverage beyond what an editor can do by design.
  • DoS attacks by administrators are fully out-of-scope.

Generic Out of Scope

Reports about security weaknesses with no proven impact will be processed as public issues and not be eligible for a reward. This category includes but is not limited to:

• Automated scanning or reporting of any kind
• CVE in an outdated dependency
• Defense in depth option not implemented (e.g. missing cookie attribute or HTTP header, clickjacking included)
• Secure coding best practice not used
• TLS configuration with older ciphersuites
• Host enumeration (e.g. via Semi-blind SSRF)
• CSRF with only an Availability impact
• Self exploitation (e.g. Self XSS or token reuse)
• Pre-Auth Account takeover/OAuth squatting
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• HTML-injection without proven impact
• Username/email enumeration
• Email bombing
• Homograph attacks
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Arbitrary file upload without proof of the existence of the uploaded file

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Spam, social engineering and physical intrusion
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty

This program follows Intigriti's contextual CVSS standard

Where can we get credentials for the app?

The default admin credentials for Grafana is admin:admin
Make sure to create additional users in Grafana with different permissions, such as Editor and Viewer.