Bug Bounty Program

Update to our Bug Bounty Program

Dear Researchers,

We value the contributions of the security community in making our platform more secure. However, due to an overwhelming number of automated or invalid reports, as well as submissions that do not adhere to our program’s application rules, we are implementing some necessary changes.

Effective immediately:

1. No Automated or Invalid Reports: We will no longer respond to reports that appear to be automated, non-applicable, or not in line with our program guidelines.
2. Adherence to Application Rules: Only researchers who have carefully reviewed our Bug Bounty Program’s terms and have applied accordingly will receive a response. It’s crucial to ensure that you’ve read and fully understand the rules and terms of our program before submitting any reports.

This change is to streamline the process and prioritize researchers who have shown diligence in understanding our guidelines and terms. We appreciate your understanding and look forward to your valuable contributions.

Thank you for your commitment to improving the security of our platform.

Overview

GrapheneDB is a Graph Database-as-a-Service platform that provides reliable and scalable solutions for developers and businesses to build and manage their graph-based applications. We are committed to ensuring the highest level of security and privacy for our customers and their data.

To achieve this, we are launching a bug bounty program that invites security researchers, ethical hackers, and enthusiasts to identify and report any security vulnerabilities they discover in our platform. By doing so, they will be helping us to identify and fix potential security threats and protect our customers’ data. We’d like to emphasize that our Bug Bounty program is security oriented, and does not focus on discoveries of general bugs or logical errors.

This bug bounty program is an essential part of our security strategy, as it allows us to leverage the skills and knowledge of the security community to improve our security posture. It also demonstrates our commitment to transparency and accountability in the way we handle security.

The bug bounty program is open to everyone, and we welcome submissions from all corners of the globe. We are committed to responding to all valid reports in a timely and efficient manner. We will also provide appropriate rewards to researchers who submit valid reports and follow our responsible disclosure guidelines.

Please note that this bug bounty program is not a license to actively test our systems, and any unauthorized testing or attempted exploitation of our systems is strictly prohibited. The program is designed to encourage responsible and coordinated vulnerability disclosure, and we expect all participants to adhere to our guidelines.

We appreciate your interest in helping us improve our security, and we look forward to working with the security community to make GrapheneDB a safer platform for all our customers.

GrapheneDB has adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for the purpose of prioritizing and paying out on reported bugs. We currently payout for P1 through P4 vulnerabilities.

Conditions

• The researcher applied to participate in the Bug bounty program by sending email as explained in the ”Application rules” was accepted to participate in the program.
• All bugs must be new discoveries.
• The researcher is the original source of the bug through their own research.
• The researcher has given us a reasonable amount of time to act upon the disclosure before disclosing it to any other organization, or to the public.
• The researcher must not reside in a country currently on a United States or European Union sanctions list.

Domain scope

The domain scope that falls under our Bug Bounty program is as follows:

• console.graphenedb.com
• www.graphenedb.com

Anything else would be considered as out of scope, and any report related to out of scope domains would be considered as invalid report.

Application Rules

To participate in the Bug Bounty program, please contact support@graphenedb.com with your intent and specify the email address you’ll use for all related activities, including but not limited to account registration and support forms.

• Describe the scope of the research you are planning to do.
• Your name and surname.
• Your researcher profile.
• Your contact details.
• We will evaluate the participation request and if valid, we will send a confirmation email stating that it is accepted.
  • One should not proceed unless confirmation email is received from our end.

By applying to our Bug Bounty program you accept Bug Bounty program terms.

Out of scope

Please be aware that there may be certain vulnerabilities that we cannot accept for our bug bounty program. These reasons may include situations where the vulnerability is already known to us, where our business needs to override the potential impact, or where the level of risk or harm is considered to be low and acceptable, among other factors.

Non-qualifying security vulnerabilities include:

• Brute-force attack
• Clickjacking on static website
• Client-Side Enforcement of Server-Side Security
• Content injection
• Cross-site tracing without endpoints vulnerable to XSS
• CSRF with minimal security implications i.e.
• CSRF on logout
• Publicly available site content, eg empty profile pages or forms
• Content in cache after logout
• Side-channel atacks
• Disclosure of robots.txt file
• Good practice settings:
  • CSP uses unsafe-inline
  • Missing Certificate Authority Authorization Rule
  • Missing HSTS
  • Missing security headers
  • Open redirect using Host header
• IDN homograph attack
• JavaScript errors
• Missing Rate Limit for Password field
  • and other rate limiting
• Reverse tabnabbing
• Self Inflicted Denial of Service
• Server version and other non critical server info disclosure
• Specific HTTP method enabled
• Weak password policy
• Weak SSL/TLS ciphersuites that serve our out-of-date browsers and users
• Lack of mobile binary protection, mobile SSL pinning
• Bugs that only affect legacy or unsupported browsers, plugins or operating systems.
• Insecure cookie settings for non-sensitive cookies
• Vulnerabilities that apply only to you or your own account
• Web server banner disclosure issues
• Self-XSS and any related issues that can only be exploited through Self-XSS.
• Error messages, such as stack traces, application or server errors, HTTP error pages, and so on.
• Issues that are only exploitable with a valid CSRF token.
• Clickjacking and any associated issues that can only be exploited through clickjacking.
• Issues that have already been reported previously, are already known to us internally, or have been disclosed publicly.
• CSRF on forms and actions that are accessible to anonymous users, like search and contact forms.
• Attacks involving phishing, social engineering or trojans
  • eg. open redirects, site clones, malicious URL shorteners, key loggers, etc
• Issues that are not directly related to the graphenedb.com website, such as subdomains, email spoofing, spf/dmarc/dkim configuration, and so forth.
• User enumeration in sign-up page
• Reports related to permitted password strength
• No password confirmation for delete account
• Any tampering or replay attacks on requests that necessitate an authenticated session by the researcher and where such activities do not impact or leak information beyond that individual session.
• Perceived security weaknesses without evidence of the ability to target a remote victim
• Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers
• False reports, or reports lacking evidence of a vulnerability
• Reports of broken links

Rules

• Confidentiality is of utmost importance. Please refrain from disclosing the nature of any vulnerability to others, both before and after disclosure to us. Failure to keep vulnerabilities confidential may disqualify you from receiving payment.
• Only security related issues are accepted.
• To ensure that your submission is accepted, you must provide all required information.
  • Ensure to always contact us with the email used to apply.
  • Please submit each vulnerability in a separate email. Do not reply to previous reports with additional vulnerabilities, as those may be overlooked.
  • Please send your vulnerability report, along with any supporting documentation, to support@graphenedb.com.
  • When submitting your report, please use the following format for the subject line: ”Bug Bounty: [PRIORITY LEVEL] [VRT category]”. For example: “Bug Bounty: P2 Sensitive Data Exposure.”
  • Please include the ”Specific vulnerability” and ”Variant or Affected Function” if available from the VRT mentioned above in the body of your email.
  • In order to help us better understand and evaluate the vulnerability, please include a detailed Proof of Concept (PoC) in your report. This can include screenshots or a screen video capture in any open format, steps to reproduce, and any other relevant information.
• Maximum of 2 Organizations, 2 Environments and only DS1 database plan can be used for testing. Anything higher than mentioned will lead to disqualification from the Bug Bounty program.

Failure to adhere to these guidelines may result in your submission not being guaranteed consideration.

Additional Rules

Attempting any of the following without notifying us in advance, will result in disqualification from the rewards program.

• Using invalid emails thorughout the system (email addresses that cannot receive emails). This also applies to temporary emails.
• Brute-force (eg. password guessing libraries) mechanisms to pentest our platform.
• This bounty program is security-focused and therefore does not cover phishing schemes, disruption or denial of service attacks or load balancing issues resulting from spam, brute forcing, coordinated DDoS attacks, etc.
  • Consequently, you are not allowed to perform any such action on GrapheneDB services.
• Vulnerability scans or automated scans (BURP, Nessus, etc.)
• Your testing cannot violate any law, disrupt GrapheneDB’s services or negatively affect other users in any way.
• You cannot disclose vulnerabilities to the public or to third parties before they are addressed.
• Any interactions with other accounts in the GrapheneDB site is prohibited. Use test accounts when investigating issues.
• GrapheneDB will require an invoice with your name and address in order to pay out the reward and you must agree to confirm your identity with us.
• Should you be eligible for a reward, you are responsible for any taxes and fees depending on your country of residency.
• By submitting the vulnerability report, you assign full intellectual property rights to the report to GrapheneDB and relinquish any copyright to the report itself.

Rewards

• Priority P1: Bounty $750
• Priority P2: Bounty $500
• Priority P3: Bounty $250
• Priority P4: Bounty $150
• Other: Bounty $0

It is important to note that although we appreciate all vulnerability submissions, we cannot provide payouts for low priority vulnerabilities at this time. However, we are willing to offer feedback on these vulnerabilities or recommend you through a recognized bug bounty or security website.

In the case where multiple vulnerabilities can be exploited by leveraging a single vulnerability, we will only provide a payout for the highest value vulnerability.

Additional rewards

We are aware of certain security vulnerabilities that are known and documented. However, we have made a decision not to prioritize addressing these vulnerabilities due to factors such as limited benefits or the possibility of alternative mitigation measures. We maintain an exclusion list to track these cases, but it is possible that some vulnerabilities may have been inadvertently omitted from the list.

If you discover a vulnerability that is valid according to the VRT taxonomy and is not listed in our exclusion list, we consider it to be a deviation from the Bug Bounty Program document. To acknowledge your efforts in bringing this to our attention, we are pleased to offer a reward of $50.

Rewards payout

We process Bounty payments via wire transfer with a 30-day payment term.

Additional Application Rules

To confirm that you read and understood and agree with the terms and conditions of the Bug Bounty Program, add following statement into the body of the email application:

I read, understood and agree with the terms of the Bug Bounty Program and I accept that only email I will use during a research for the forms, signups and elsewhere will be the same email as the one I used to apply for the participation in the Bug Bounty Program.

To ensure that our Bug Bounty Program has been read and understood in its entirety, we’ve incorporated a specific code word to be included in your application email’s subject. When submitting your application, use the code word “GDBBUGBOUNTY092023” in the subject. Structure your subject as follows:

Subject: Bug Bounty Program GDBBUGBOUNTY092023

Applications not adhering to this format may not be reviewed or responded to. This practice assists us in identifying genuine applications from those who have thoroughly reviewed the program’s content.

Communication turnaround

Please be advised that our team typically reviews and responds to inquiries within a timeframe of 2 business days. Your patience is appreciated during this process.