Hey again, hackers!

We've updated the scope of the program to now include reports that require feature toggles to be enabled:

• All Generally Available feature toggles are fully in-scope for the standard tiers. If you use no feature toggles at all in your report, you will also be using the standard tiers.
• All Public Preview feature toggles on Tier 1 and Tier 2 products are in scope for Tier 2 bounties.
• All Private Preview and Experimental feature toggles are accepted, but are not eligible for standard bounties. In some exceptional cases, we may still issue a bonus; these are issued at Grafana Labs' discretion.
• All Grafana feature toggles that require the app_mode = development configuration are not in scope.

The triage team will not update your tier for you, but will validate the report and forward it to Grafana Labs. When we receive it, we may update the report tier according to the feature toggles used.

If you have previously submitted a report and had it rejected due to the feature toggle being out of scope, we're happy to accept a new report if the report still works on the latest supported versions of Grafana. In your new report, please include a link to the previous report(s), so we can make sure to update those to be duplicates instead of out-of-scope.

Happy hunting, and best of luck!

Hey hackers!

Thank you again for hunting on our program.

Following the previous program update, we have added one additional submission question regarding video proof-of-concepts. To ensure all necessary information is included in the report, videopocs are now mandatory. As a gentle reminder, you will need to tick a box saying you've added a videopoc to your report. This is in addition to the standard report format and all necessary in-writing details to reproduce the report; the videopoc does not replace the written portion of the report.

Happy hunting, and best of luck!

Hey hackers!

You've been submitting a tonne of reports. We really appreciate the interest you all have in the program. We've recently been looking at how we can make the experience better for you.

Therefore, we've updated the program a fair bit recently. First off, we have updated our rules of engagement a bit. This includes new formatting for reports; please follow this report format such that we can triage your reports as well as possible.

Secondly, we've recently seen a large increase of AI-generated or AI-assisted reports. This is totally fine, but we now also ask that you tick a box that says whether you used AI. This is a one-click change for each report.

Happy hunting, and best of luck!

Hey hackers!

Exciting news! We've expanded our bug bounty program to include all of our GitHub repositories for repository vulnerabilities - yes, all of them - so if you're into CI/CD hacking, this is your moment to shine! 💥

Our Database bug bounty program has now merged into this one, making things simpler with just one public program for you to explore.

Happy hunting and good luck!