Vulnerability Disclosure Program

As part of building a safe experience for our community, the Graphistry team is ready to work with security researchers through responsible disclosure.

 

Bounties

Monetary only for contracted pen tests: Do not expect a monetary payment for emailing unsolicited vulnerability reports. Graphistry does not commit to paying for unsolicited commercial services. If you are interested in starting a commercial relationship with Graphistry, we broker various security services through trusted security & compliance parties and government cybersecurity organizations. Please reach out to them instead, and if and when appropriate, these groups will introduce you to us. Graphistry does invest more in security than most startups, including pen testing, but primarily only through those introduced to us by such groups as a match to specific internal initiatives.

Acknowledgement:  Graphistry does regularly work with contracted pen testers and those results are typically private. We can support public acknowledgement, but stress this requires following the rules of our vulnerability program.

 

Policy

How to Submit a Vulnerability

To submit a vulnerability report to Graphistry’s Product Security Team, please utilize the following email: security@graphistry.com .

Preference, Prioritization, and Acceptance Criteria

We will use the following criteria to prioritize and triage submissions.

What we would like to see from you: 

  • Show you could exploit a vulnerability but do not actually exploit it
  • Stay within the parameters of this policy, such as the threat model
  • User your own accounts
  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from Graphistry:

  • A timely response to your email (within 1 week).
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.
  • If you choose to publicly report on the vulnerability, we will work with you on clarifying useful details and ensuring the presentation passes our editorial review.

Do no harm

At no time can you access nor modify the private data of others; interrupt, degrade, nor deny service to other users; cause any form of harm to Graphistry staff, service providers, partners, and users. This carries through any public dissemination phases. Avoid breaking any laws or regulations nor cause Graphistry to do the same.

If we are unable to resolve communication issues or other problems, Graphistry may bring in a neutral third party to assist in determining how best to handle the vulnerability.

 

Scope & Threat Model

Surface area

We prioritize the following production systems:

  • hub.graphistry.com and linked services
  • www.graphistry.com and linked services, such as ZenDesk & Slack
  • Self-hosted Graphistry, including Marketplace variants, under reasonably secure conditions (TLS, …)
  • Production cloud accounts and production cloud services
  • Graphistry client APIs (OSS), including PyGraphistry, GraphistryJS, and graph-app-kit

We do not guarantee protection for attempts to breach other services, such as our bank accounts and employee devices.

Security properties

We are broadly interested in the confidentiality & integrity of user data following traditional web and cloud security models.

At this time, we do not encourage reports of availability attacks.

Attack vectors

We assume the traditional network attacker model, such as a public web user accessing private content of another, or an account holder escalating their privileges.

At this time, we do not encourage alternative vectors, such as social engineering, account squatting, non-actionable injections, CSRF on non-sensitive forms, disclosure of version numbers, missing best practices such as specific headers, issues impacting outdated systems

 

Legal Posture

Graphistry will not engage in legal action against individuals who submit compliant vulnerability reports through our Vulnerability Reporting inbox and publish disclosures in a way we deem acceptable. We openly accept reports for the currently listed Graphistry products. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Graphistry or its customers. For example, denial of service attacks against production systems are not permitted.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc. For example, to test the ability to escalate access, do not access other customer accounts, but your own.
  • Adhere to the laws of their location and the location of Graphistry. For example, violating laws that would only result in a claim by Graphistry (and not a criminal claim) may be acceptable as Graphistry is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires nor presenting information in a manner that fails our editorial review.

Copyright 2023 Graphistry