Grafana Labs bug bounty: What you need to know about our new partnership with Intigriti
Grafana Labs is happy to announce that we have partnered with Intigriti, a leading bug bounty platform, to expand our bug bounty program. This collaboration will enable us to work more effectively with security researchers from around the world in a scalable, sustainable way.
Moving to a platform that handles initial triage will allow us to focus on valid reports and expand our scope, covering a wider range of Grafana Labs developed products and services. Let’s take a look at how our new partnership with intigriti will work.
FAQ: What you need to know
What is the scope of the new program?
Currently, the eligible projects are Grafana OSS and our other open source backends (Grafana Loki, Grafana Mimir, Grafana Pyroscope, and Grafana Tempo), but this relaunch allows us to progressively launch additional programs for new and existing products in the future.
What are the submission requirements?
We will accept valid security vulnerabilities that exist in the latest released version of the products that are listed in scope. All eligible submissions must prove a security impact, and we reward based on the described impact in the submission provided by the researcher.
Any current or former (in the last 12 months) Grafana Labs employees and contractors are not permitted to participate in this program.
What happens after I submit a reward-eligible vulnerability report?
Intigriti’s triage team will perform an initial assessment of the submission before we review it, meaning they will verify that the vulnerability is in scope, is not a duplicate, and is reproducible. If those criteria are met, we (Grafana Labs) will perform a second round of reviews. This second round is intended to assess whether we already know about the issue internally or whether it’s intentional functionality.
If the submission is eligible for a reward, we will assess the severity based on the impact described in the report. We follow the CVSS 3.1 scoring system, so we will map bounties to a calculated CVSS score. If the report is of greater quality, we might offer a bonus bounty to incentivize clear and detailed reports.
What is Grafana Labs’ response time to submissions?
After Intigriti has validated the submission, Grafana Labs will respond within the following timelines:
Vulnerability Severity | Time to validate (working days) |
Exceptional | 2 |
Critical | 2 |
High | 5 |
Medium | 15 |
Low | 15 |
Once a submission has been assigned to us, we will typically respond to it within two business days. We will reward on triage, meaning we will send the bounty regardless if the fix is published or not, as long as we have sufficient information to assess the impact.
What is the payment structure for bounties?
We will continue to offer top-tier and market competitive bounties. We used Intigriti’s bug bounty calculator to calculate bounty levels that are above the industry median.
Severity (CVSS 3.1) | Minimum Bounty | Maximum Bounty |
Low (0.1 - 3.9) | 100 USD | 500 USD |
Medium (3.9 - 6.9) | 500 USD | 2,000 USD |
High (7.0 - 8.9) | 2,000 USD | 7,500 USD |
Critical (9.0 - 9.4) | 7,500 USD | 10,000 USD |
Exceptional (9.5 - 10.0) | 10,000 USD | 15,000 USD |
How are bounties paid out?
All bounties will be paid out directly via the Intigriti platform. If the researcher wants to transfer the funds to their personal bank account, it usually takes three to five business days, according to Intigriti.
Will Grafana Labs still be transparent with its program?
Currently, it is not possible to publish submissions on Intigriti. However, for all open source products that are in scope, we will assign a CVE. That CVE will be published in our CVE database, where we will provide detailed information about the vulnerability.
For all published CVEs, we will continue to ask the researcher if they want to be credited in our Security Hall of Fame.
Lessons learned from self-hosting
Now that you’re up to speed on our changes, I want to briefly reflect on our what we learned from self hosting, for the sake of transparency.
Initially, we thought self-hosting was the right choice. We wanted full control from start to finish, allowing us to have generous response times, pay on triage, and build a strong security community. And there were a fair share of positives.
It was great to build those relationships, and the triage process also helped us understand our scope and products better. As security engineers, we have the best understanding of our products’ threat models. This insight helped us identify issues that initially seemed out of scope but could still provide significant security improvements for our products.
However, we ran into a number of issues that ultimately led us to make this change. For starters, there weren’t any well-maintained open source bug bounty platforms, so we had to build a bunch of workarounds in GitHub to keep the program running as we scaled. We also spent most of our time triaging reports that were clearly out of scope or invalid, and we lacked the reach of a major bug bounty platform.
Moving the program to Intigriti will help us scale and improve the program going forward. If you have any questions regarding the bug bounty programs, feel free to join our public Slack channel.