Bug Bounty Program

Terms and Conditions

Datavolo does not currently partner with any 3rd party Bug Bounty programs. If you’re an independent security expert or researcher and believe you’ve discovered a security-related issue on our platform, we appreciate you disclosing the issue to us responsibly and thank you for your time and expertise.

If you are eligible and want to report a bug; send us an email at [email protected].

You will report the vulnerability directly to us via email and all communication after submission will be conducted there. Before submitting an issue, please read our guidelines and scope of the program.

Eligibility

Datavolo employees or contractors—current or former—are not eligible to participate in this program. Please read the complete eligibility requirements before joining the program.

Scope

The scope of the Bug Bounty Program includes Datavolo’s products, services, and systems. Vulnerabilities found in vendor systems fall outside of this policy’s scope and should be reported directly to the vendor via their own disclosure programs.

Rules of Engagement

The following is intended to give security researchers clear guidelines for conducting vulnerability discovery activities to limit the potential for company and/or customer data to be at risk:

  • Do add a prefix Bugbounty- to your Datavolo org name.

  • Do report a potential security issue immediately.

  • Do NOT attack other users. If you are testing the ability to access another customer’s data, do not iterate randomly. Ask for assistance at [email protected] .

  • Do NOT attempt Denial of Service (DoS) attacks. If you notice performance interruption or degradation, immediately suspend all testing.

  • Do NOT perform any phishing, spamming, social engineering, or other form of fraud on our employees or customers.

  • Do NOT perform any physical attacks against Datavolo’s property (including workstations, office spaces, servers, or networks) or otherwise try to discover risk beyond digital means against Datavolo.

  • Do NOT exploit a security issue you discover for any reason other than to validate your finding.

Do NOT deface any Datavolo-associated publicly available resource for a proof of concept (PoC) which explicitly states the vulnerability. For example, for a subdomain takeover PoC, upload a file with hello world in it.

Out-of-Scope Vulnerabilities

 

Any of the following (or related) activities will be automatically considered out of scope for the Bug Bounty Program:

  • Clickjacking or UI redressing (on pages with no sensitive actions)

  • Content injection or “HTML injection” unless you can clearly show risk (other than social engineering)

  • Cross-Site Request Forgery (CSRF) on features which are available to anonymous users

  • Low-impact CSRF including, but not limited to, login, logout, and unauthenticated

  • User session duration

  • Username/email enumeration

  • Same-site scripting and Self-XSS

  • Self-exploitation (i.e., password reset links or cookie reuse)

  • Missing flags on non-essential session cookies

  • Missing security-related HTTP headers which do not lead directly to a vulnerability

  • Open redirects on ad/analytics subdomains

  • Presence of autocomplete attribute on web forms

  • Reflected File Download (RFD) attacks

Data Exposure:

  • Banner or version disclosure of server or software

  • Information disclosure that has no practical use for exploitation

  • Descriptive/verbose/unique error pages (without proof of exploitability)

  • Default configuration files which do not disclose sensitive information

Denial of Service:

  • Denial of Service (DoS) attacks

  • Distributed Denial of Service (DDoS) attacks

End of Life (EoL)/ Outdated Software:

  • Any Datavolo-developed software that is EoL or no longer supported

  • Client side bugs which do not affect (and/or are exploitable on) the latest version of modern browsers

  • Outdated dependencies without a working PoC

Physical Security:

  • Man-in-the-middle (MITM) attacks or those requiring physical access to the victim’s device

  • Physical or social engineering attacks

Security Best Practices:

  • Missing SSL/TLS best practices

  • Mixed content warnings

  • Missing best practices in Content Security Policy

  • Missing email security best practices (such as incomplete or missing SPF/DKIM/ DMARC) without a proof of exploitability

  • Issues related to networking protocols or industry standards

Miscellaneous:

  • Bugs Datavolo or Apache is already aware of (or ones previously submitted by another researcher)

  • Pivoting, scanning, exploiting, or exfiltrating data from internal Datavolo systems

  • Pervasive issues or vulnerabilities such as heartbleed, meltdown, Spectre, or others without a Proof of Concept

  • Results of automated tools or scanners without a Proof of Concept

  • Theoretical subdomain takeover claims with no supporting evidence

  • Using unreported vulnerabilities to find other bugs

  • Vulnerabilities in community-contributed API and Datavolo client libraries

  • Public zero-day vulnerabilities that have had an official patch for less than one month will be awarded on a case by case basis.

Disclosure Policy

This program is subject to strict confidentiality requirements. You will need consent from Datavolo for any disclosure outside of the program. Prior to accepting an invitation to Datavolo private program, you should carefully review the program policies and the non-disclosure agreements required for participation.