As part of building a safe experience for our community, the Graphistry team is ready to work with security researchers through responsible disclosure.
Monetary only for contracted pen tests: Do not expect a monetary payment for emailing unsolicited vulnerability reports. Graphistry does not commit to paying for unsolicited commercial services. If you are interested in starting a commercial relationship with Graphistry, we broker various security services through trusted security & compliance parties and government cybersecurity organizations. Please reach out to them instead, and if and when appropriate, these groups will introduce you to us. Graphistry does invest more in security than most startups, including pen testing, but primarily only through those introduced to us by such groups as a match to specific internal initiatives.
Acknowledgement: Graphistry does regularly work with contracted pen testers and those results are typically private. We can support public acknowledgement, but stress this requires following the rules of our vulnerability program.
How to Submit a Vulnerability
To submit a vulnerability report to Graphistry’s Product Security Team, please utilize the following email: security@graphistry.com .
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
What you can expect from Graphistry:
Do no harm
At no time can you access nor modify the private data of others; interrupt, degrade, nor deny service to other users; cause any form of harm to Graphistry staff, service providers, partners, and users. This carries through any public dissemination phases. Avoid breaking any laws or regulations nor cause Graphistry to do the same.
If we are unable to resolve communication issues or other problems, Graphistry may bring in a neutral third party to assist in determining how best to handle the vulnerability.
Surface area
We prioritize the following production systems:
We do not guarantee protection for attempts to breach other services, such as our bank accounts and employee devices.
Security properties
We are broadly interested in the confidentiality & integrity of user data following traditional web and cloud security models.
At this time, we do not encourage reports of availability attacks.
Attack vectors
We assume the traditional network attacker model, such as a public web user accessing private content of another, or an account holder escalating their privileges.
At this time, we do not encourage alternative vectors, such as social engineering, account squatting, non-actionable injections, CSRF on non-sensitive forms, disclosure of version numbers, missing best practices such as specific headers, issues impacting outdated systems
Graphistry will not engage in legal action against individuals who submit compliant vulnerability reports through our Vulnerability Reporting inbox and publish disclosures in a way we deem acceptable. We openly accept reports for the currently listed Graphistry products. We agree not to pursue legal action against individuals who:
Copyright 2023 Graphistry