Responsible Disclosure Limitations

Dremio does not have a formal bug bounty program yet. But we welcome submissions and we take action to resolve security issues that are submitted to us in a very timely manner. 

Dremio considers some vulnerabilities as out of scope. These include but are not limited to:

  • Low Severity Clickjacking Vulnerabilities
  • Missing SPF/DKIM/DMARC policies
  • Display of Organization IDs during login flow
  • User enumeration/brute forcing
  • Automated Scans report (without an exploitable PoC)
  • Content Spoofing Vulnerabilities
  • Denial of Service (DoS)
  • Issues present only in older versions of browsers or plugins
  • Low Impact CSRF issues, including but not limited to: Login and Logout CSRF
  • Missing Rate Limiting Protections (unless corresponding to authentication flow)
  • Missing Security Headers and Cookie Flags, which can’t be exploited by themselves ( for example Strict-Transport-Security, HTTPOnly)
  • Social engineering and phishing attacks
  • Spam e-mail (missing rate limiting protections)
  • SSL vulnerabilities related to configuration, version, weak ciphers (without a working exploit)
  • Use of a vulnerable 3rd party library/code snippet (without providing an exploitable scenario)
  • Vulnerabilities exploitable only on Unsupported and Outdated Browser, Frameworks and Platforms
  • Weak password
  • Any other submission assessed to be of low/no risk or impact

Get Started Free

No time limit - totally free - just the way you like it.

Sign Up Now

Watch Demo

Not ready to get started today? See the platform in action.

Check Out Demo