Skip to main content

Bug Bounty Program

GrapheneDB is a Graph Database-as-a-Service platform that provides reliable and scalable solutions for developers and businesses to build and manage their graph-based applications. We are committed to ensuring the highest level of security and privacy for our customers and their data.

To achieve this, we are launching a bug bounty program that invites security researchers, ethical hackers, and enthusiasts to identify and report any security vulnerabilities they discover in our platform. By doing so, they will be helping us to identify and fix potential security threats and protect our customers' data. We'd like to emphasize that our Bug Bounty program is security oriented, and does not focus on discoveries of general bugs or logical errors.

This bug bounty program is an essential part of our security strategy, as it allows us to leverage the skills and knowledge of the security community to improve our security posture. It also demonstrates our commitment to transparency and accountability in the way we handle security.

The bug bounty program is open to everyone, and we welcome submissions from all corners of the globe. We are committed to responding to all valid reports in a timely and efficient manner. We will also provide appropriate rewards to researchers who submit valid reports and follow our responsible disclosure guidelines.

Please note that this bug bounty program is not a license to actively test our systems, and any unauthorized testing or attempted exploitation of our systems is strictly prohibited. The program is designed to encourage responsible and coordinated vulnerability disclosure, and we expect all participants to adhere to our guidelines.

We appreciate your interest in helping us improve our security, and we look forward to working with the security community to make GrapheneDB a safer platform for all our customers.


GrapheneDB has adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for the purpose of prioritizing and paying out on reported bugs. We currently payout for P1 through P4 vulnerabilities.


Conditions

  • All bugs must be new discoveries.
  • The researcher is the original source of the bug through their own research.
  • The researcher has given us a reasonable amount of time to act upon the disclosure before disclosing it to any other organization, or to the public.
  • The researcher must not reside in a country currently on a United States or European Union sanctions list.

Out of scope

Please be aware that there may be certain vulnerabilities that we cannot accept for our bug bounty program. These reasons may include situations where the vulnerability is already known to us, where our business needs to override the potential impact, or where the level of risk or harm is considered to be low and acceptable, among other factors.

Non-qualifying security vulnerabilities include:

  • Brute-force attack
  • Clickjacking on static website
  • Client-Side Enforcement of Server-Side Security
  • Content injection
  • Cross-site tracing without endpoints vulnerable to XSS
  • CSRF with minimal security implications i.e.
  • CSRF on logout
  • Publicly available site content, eg empty profile pages or forms
  • Content in cache after logout
  • Side-channel atacks
  • Disclosure of robots.txt file
  • Good practice settings:
    • CSP uses unsafe-inline
    • Missing Certificate Authority Authorization Rule
    • Missing HSTS
    • Missing security headers
    • Open redirect using Host header
  • IDN homograph attack
  • JavaScript errors
  • Missing Rate Limit for Password field
    * and other rate limiting
  • Reverse tabnabbing
  • Self Inflicted Denial of Service
  • Server version and other non critical server info disclosure
  • Specific HTTP method enabled
  • Weak password policy
  • Weak SSL/TLS ciphersuites that serve our out-of-date browsers and users
  • Lack of mobile binary protection, mobile SSL pinning
  • Bugs that only affect legacy or unsupported browsers, plugins or operating systems.
  • Insecure cookie settings for non-sensitive cookies
  • Vulnerabilities that apply only to you or your own account
  • Web server banner disclosure issues
  • Self-XSS and any related issues that can only be exploited through Self-XSS.
  • Error messages, such as stack traces, application or server errors, HTTP error pages, and so on.
  • Issues that are only exploitable with a valid CSRF token.
  • Clickjacking and any associated issues that can only be exploited through clickjacking.
  • Issues that have already been reported previously, are already known to us internally, or have been disclosed publicly.
  • CSRF on forms and actions that are accessible to anonymous users, like search and contact forms.
  • Attacks involving phishing, social engineering or trojans
    * eg. open redirects, site clones, malicious URL shorteners, key loggers, etc
  • Issues that are not directly related to the graphenedb.com website, such as subdomains, email spoofing, spf/dmarc/dkim configuration, and so forth.
  • User enumeration in sign-up page
  • Reports related to permitted password strength
  • Perceived security weaknesses without evidence of the ability to target a remote victim
  • Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers
  • False reports, or reports lacking evidence of a vulnerability
  • Reports of broken links

Rules

  • Confidentiality is of utmost importance. Please refrain from disclosing the nature of any vulnerability to others, both before and after disclosure to us. Failure to keep vulnerabilities confidential may disqualify you from receiving payment.
  • Only security related issues are accepted.
  • To ensure that your submission is accepted, you must provide all required information.
    • Please submit each vulnerability in a separate email. Do not reply to previous reports with additional vulnerabilities, as those may be overlooked.
    • Please send your vulnerability report, along with any supporting documentation, to support@graphenedb.com.
    • When submitting your report, please use the following format for the subject line: "Bug Bounty: [PRIORITY LEVEL] [VRT category]". For example: "Bug Bounty: P2 Sensitive Data Exposure."
    • Please include the "Specific vulnerability" and "Variant or Affected Function" if available from the VRT mentioned above in the body of your email.
    • In order to help us better understand and evaluate the vulnerability, please include a detailed Proof of Concept (PoC) in your report. This can include screenshots or a screen video capture in any open format, steps to reproduce, and any other relevant information.

Additional Rules

Attempting any of the following without notifying us in advance, will result in disqualification from the rewards program.

  • Brute-force (eg. password guessing libraries) mechanisms to pentest our platform.
  • This bounty program is security-focused and therefore does not cover phishing schemes, disruption or denial of service attacks or load balancing issues resulting from spam, brute forcing, coordinated DDoS attacks, etc.
    * Consequently, you are not allowed to perform any such action on GrapheneDB services.
  • Vulnerability scans or automated scans (BURP, Nessus, etc.)
  • Your testing cannot violate any law, disrupt GrapheneDB's services or negatively affect other users in any way.
  • You cannot disclose vulnerabilities to the public or to third parties before they are addressed.
  • Any interactions with other accounts in the GrapheneDB site is prohibited. Use test accounts when investigating issues.
  • GrapheneDB will require an invoice with your name and address in order to pay out the reward and you must agree to confirm your identity with us.
  • Should you be eligible for a reward, you are responsible for any taxes and fees depending on your country of residency.
  • By submitting the vulnerability report, you assign full intellectual property rights to the report to GrapheneDB and relinquish any copyright to the report itself.

 

Rewards

  • Priority P1: Bounty $750
  • Priority P2: Bounty $500
  • Priority P3: Bounty $250
  • Priority P4: Bounty $150
  • Other: Bounty $0

It is important to note that although we appreciate all vulnerability submissions, we cannot provide payouts for low priority vulnerabilities at this time. However, we are willing to offer feedback on these vulnerabilities or recommend you through a recognized bug bounty or security website.

In the case where multiple vulnerabilities can be exploited by leveraging a single vulnerability, we will only provide a payout for the highest value vulnerability.

 

Additional rewards

We are aware of certain security vulnerabilities that are known and documented. However, we have made a decision not to prioritize addressing these vulnerabilities due to factors such as limited benefits or the possibility of alternative mitigation measures. We maintain an exclusion list to track these cases, but it is possible that some vulnerabilities may have been inadvertently omitted from the list.

If you discover a vulnerability that is valid according to the VRT taxonomy and is not listed in our exclusion list, we consider it to be a deviation from the Bug Bounty Program document. To acknowledge your efforts in bringing this to our attention, we are pleased to offer a reward of $50.

Powered by Zendesk