As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks terms and conditions.

Creating your Databricks Accounts

Free Edition: Sign up here for a personal workspace. This edition has specific limitations, such as the absence of Scala and custom compute. Enterprise Workspace: To test features not available on Free Edition, use the HackerOne Request Credential button. You will be invited to a managed workspace. Note: You will not have administrative privileges in this environment.

• For both starting points, your home page will show different resources and video links. These can help you become familiar with the complicated Databricks environment.
• For further information on using Databricks, please visit https://docs.databricks.com/.
• Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html
• Databricks Product Walkthroughs for Researchers - F3696045

General Program Rules

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.
• Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
• Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.
• Do not disclose your report or the vulnerability without prior express written permission from Databricks.

Report and Reward Guidelines

• When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue.
• If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed.
• Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.

Technical Details

• Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.
• Notebooks execute as root and all cluster access is root - this is expected. There are no security boundaries within a cluster.
• Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.

Open source projects

Terms and Conditions

Applicable Laws. You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. Bounty. Databricks bug bounties are granted solely at Databricks’ discretion. Data. Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed. Finances. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law. General Eligibility & Sanctions. We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age. We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists. Research. Immediately both stop your research and notify Databricks using the reporting process before any of the following occur: * You access any accounts or data other than your own (or those for which you have express written permission from their owners) * You disrupt any Databricks service * You access a non-customer facing Databricks system.

If you have already accessed data other than your own, and acquired it, contact us immediately, and securely purge any data you have acquired upon reporting the vulnerability to Databricks.