By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Grafana

• Latest released version of Grafana OSS: https://github.com/grafana/grafana

Most feature toggles are documented here. You can find a complete list of toggles on our repository.

Databases

• Latest released version of Loki: https://github.com/grafana/loki
• Latest released version of Mimir: https://github.com/grafana/mimir
• Latest released version of Tempo: https://github.com/grafana/tempo
• Latest released version of Pyroscope: https://github.com/grafana/pyroscope

Security Hall of Fame

For all valid vulnerabilities, we will ask if you want to be added to Grafana Labs Security Hall of Fame with any associated CVE and vulnerability details.

!! Please read carefully !!

Grafana

• Users with the Viewer role can enter any possible query in any of the data sources available in the organization. This is NOT a vulnerability and will be closed as Out of scope.
• Any reports of SSRF against the data source proxy endpoint.
• Data sources that have been deliberately manipulated to exploit a weakness. Grafana does not sanitize or manipulate data stored in a data source
• Community created plugins and apps are out-of-scope.
• For Viewers, a valid DoS vulnerability must have a non-temporary impact on performance.
  • For Editors, a valid DoS vulnerability must provide significant additional leverage beyond what an editor can do by design.
  • DoS attacks by administrators are fully out-of-scope.
• DoS vulnerabilities involving large end-user inputs are currently out of scope
• Vulnerabilities that require Grafana Enterprise
• Any functionality locked behind app_mode = development

Databases (Mimir, Loki, Tempo & Pyroscope)

• Authentication Issues - the databases does not come with any authentication layer. Operators are expected to run an authenticating reverse proxy in front of the services.
• DoS/DDoS or brute force attacks.
• Local privilege escalation (like DLL hijacking)

Generic Out of Scope

This category includes but is not limited to:

• Automated scanning or reporting of any kind
• CVE in an outdated dependency
• Defense in depth option not implemented (e.g. missing cookie attribute or HTTP header, clickjacking included)
• Secure coding best practice not used
• TLS configuration with older ciphersuites
• Host enumeration (e.g. via Semi-blind SSRF)
• CSRF with only an Availability impact
• Self exploitation (e.g. Self XSS or token reuse)
• Pre-Auth Account takeover/OAuth squatting
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• HTML-injection without proven impact
• Username/email enumeration
• Email bombing
• Homograph attacks
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Arbitrary file upload without proof of the existence of the uploaded file

ℹ️ General Program Rules ℹ️

• Unsure if the report is out of scope? Submit it regardless! We will not close reports as NA, OOS, or Spam unless they are clearly invalid or irrelevant.
• Don't spam, use social engineering and physical intrusion.

This program follows Intigriti's triage standards based on the proof of concept.

How can I contact you?

Feel free to join our public community Slack Channel.