Responsible Disclosure Limitations

Dremio does not have a formal bug bounty program yet. But we welcome submissions and we take action to resolve security issues that are submitted to us in a very timely manner. 

Dremio considers some vulnerabilities as out of scope. These include but are not limited to:

  • Low Severity Clickjacking Vulnerabilities
  • Missing SPF/DKIM/DMARC policies
  • Display of Organization IDs during login flow
  • User enumeration/brute forcing
  • Automated Scans report (without an exploitable PoC)
  • Content Spoofing Vulnerabilities
  • Denial of Service (DoS)
  • Issues present only in older versions of browsers or plugins
  • Low Impact CSRF issues, including but not limited to: Login and Logout CSRF
  • Missing Rate Limiting Protections (unless corresponding to authentication flow)
  • Missing Security Headers and Cookie Flags, which can’t be exploited by themselves ( for example Strict-Transport-Security, HTTPOnly)
  • Social engineering and phishing attacks
  • Spam e-mail (missing rate limiting protections)
  • SSL vulnerabilities related to configuration, version, weak ciphers (without a working exploit)
  • Use of a vulnerable 3rd party library/code snippet (without providing an exploitable scenario)
  • Vulnerabilities exploitable only on Unsupported and Outdated Browser, Frameworks and Platforms
  • Weak password
  • Any other submission assessed to be of low/no risk or impact
get started

Get Started Free

No time limit - totally free - just the way you like it.

Sign Up Now
demo on demand

See Dremio in Action

Not ready to get started today? See the platform in action.

Watch Demo
talk expert

Talk to an Expert

Not sure where to start? Get your questions answered fast.

Contact Us

Ready to Get Started?

Bring your users closer to the data with organization-wide self-service analytics and lakehouse flexibility, scalability, and performance at a fraction of the cost. Run Dremio anywhere with self-managed software or Dremio Cloud.