We are a dedicated team of engineers, who are committed to deliver an outstanding SaaS Monitoring and Analytics Platform in a safe and secure way. To achieve our mission, we would like to partner and start building a relationship with the security research community, with the hope that this relationship gets stronger as the time passes by. We will make every effort to recognize your high-level contributions and reward you accordingly.

Rewards

Our rewards are based on the severity of a vulnerability. SignalFx uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of SignalFx. Examples of issues that may be considered to be lower severity given additional context include, but are not limited to: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); or an RCE on an asset that doesn’t house production data.

In-scope

SignalFx Responsible Vulnerability Disclosure Program covers everything under the following domain:

  • *.signalfx.com

In scope vulnerabilities include, but are not limited to:

  • Remote Code Execution (RCE)
  • SQL and XML injections, among other injection vulnerability
  • Cross Tenant Data Leak
  • Disclosure of sensitive or personally identifiable information (PII)
  • Authentication and Authorization vulnerabilities
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) for sensitive functions
  • Directory traversal
  • Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.

Out-of-scope

Out of scope vulnerabilities include but are not limited to:

  • Attacks involving stolen credentials or physical access to endpoint devices
  • Automated Scans report (without an exploitable PoC)
  • Content Spoofing Vulnerabilities
  • Denial of Service (DoS)
  • DLL hijacking (without escalation of privileges)
  • DNS configuration related issues
  • Host Header Injection (without providing an exploitable scenario)
  • HTTP Trace method is enabled
  • Issues present only in older versions of browsers, plugins or any other software
  • Low Impact CSRF issues, including but not limited to: Login and Logout CSRF
  • Low Severity Clickjacking Vulnerabilities
  • Man-in-the-Middle-Attacks (MITM)
  • Missing Rate Limiting Protections (unless corresponding to authentication flow)
  • Missing SPF/DKIM/DMARC policies
  • Missing Security Headers and Cookie Flags, which cant be exploited by themselves ( for example Strict-Transport-Security, HTTPOnly)
  • Multiple account registration using or manipulating same email ID
  • Physical attacks against SignalFx offices and property
  • Reflected File Download
  • Self XSS (Should be able to attack other users)
  • Server Configuration related issues
  • Social engineering and phishing attacks
  • Spam e-mail (missing rate limiting protections)
  • SSL vulnerabilities related to configuration, version, weak ciphers (without a working exploit)
  • Uploading Files with a different extension than specified
  • Use of a vulnerable 3rd party library/code snippet (without providing an exploitable scenario)
  • User enumeration/brute forcing (for example Login and Forgot Password page)
  • Vulnerabilities exploitable only on Unsupported and Outdated Browser, Frameworks and Platforms
  • Weak password and Unverified email policies
  • Any other submission assessed to be of low risk or impact

Bug Submission Requirements

Please submit your report to [email protected]

In order to be eligible for Bug Bounty a submission must include the following:

  • Full description of the vulnerability being reported, including the exploitability and impact
  • Steps to replicate
  • Supporting evidence such as:
    • Screenshots
    • Traffic logs
    • Web/API requests and responses
    • IP address used for testing
    • Email address or user ID of any test accounts