At Grafana Labs, we value the open source community and recognize the power of crowdsourcing. This is why we have decided to launch our very own bug bounty program, managed in-house by our own team, to encourage ethical hackers from around the world to help us find and responsibly report security vulnerabilities in Grafana Labs software.
With the Grafana Labs Bug Bounty Program, we have decided to manage the program by ourselves as much as possible to help us create stronger relationships with researchers. With this approach, we can maintain a deeper degree of contextual understanding, which facilitates our ability to guide and support the researchers more effectively and build a vibrant community around our program.
A bug bounty program can only be deemed successful when the participants are satisfied. Our security team has both run and participated in such programs in the past, which has allowed us to identify three crucial factors for creating a successful program: speed, transparency, and fair compensation.
We aim to offer a positive bug bounty experience by targeting an initial response within one business day, and triage within two business days. Payouts will be made following our internal triage via Initigriti, a trusted bug bounty platform that ensures 24-hour payouts. Grafana Labs is a CVE Numbering Authority (CNA), which allows us to assign CVEs when necessary.
The bug bounty program is hosted on GitHub using private vulnerability reporting. This allows us to be fully transparent, as any change to the scope and terms and conditions will be recorded there and publicly available. This also ensures that we stay true to our values of being fair.
We don’t require researchers to sign a non-disclosure agreement (NDA). While we ask that you maintain silence while coordinating a release, we encourage you to discuss your discoveries freely in conferences, blog posts, or social media following the release. We often do this ourselves with interesting, internally discovered issues. We are also very happy to link to your write-up from our corresponding announcement blog post and do a coordinated disclosure. If you would like to do this please let us know early in the process.
We understand that security researchers invest significant time and effort into finding vulnerabilities and we want to show our respect and appreciation for their contributions. Our payout levels are top tier, reflecting the value we place on security and the contributions of the security community. Bonuses are available as described in the scope for high quality reports and PoCs.
Check out the Grafana Labs Bug Bounty Program today
We hope that by encouraging the security community to continue to contribute, it will help strengthen the overall security of our open source projects and our other products.
Since the program is brand new, please bear with us while we get this program off the ground! But certainly let us know if you run into any issues. And you are always welcome to contact us if you found a security vulnerability in any other product or service that’s not listed in the bug bounty scope by following the steps at MITRE.
We’ll continue to add products and services to our scope over time, so please check out the scope any time for the latest on the program. Happy hunting!