Reporting Security Vulnerabilities to Drata
Drata aims to keep its Services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.
Our responsible disclosure process is hosted by HackerOne's bug bounty program and is currently an invite-only program. To request an invite to disclose a finding to our team, please email our security team at [email protected]. Once invited to the program, you can access our program to report any security vulnerabilities.
Only vulnerabilities submitted via the appropriate channel may be eligible for a reward. If you've previously responsibly disclosed a vulnerability to us, thank you.
When submitting a vulnerability, please adequately describe the attack scenario, the level of exploitability, the impact of the finding on Drata and/or Drata's customers and users, and a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Program Rules for Responsible Disclosure
- Accessing any customer data is always strictly prohibited.
- Accessing any Drata internal data is always strictly prohibited.
- Submit only one vulnerability at a time unless vulnerabilities are chained together to demonstrate impact.
- When duplicate submissions occur, we award only the first reproducible report received.
- Multiple vulnerabilities having a single underlying root cause will be awarded singularly.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Privacy violations, destruction of data, and interruption or degradation of our service must be avoided. You must only use accounts you own or have the explicit permission of the account owner.
- Results matching findings from SSL/TLS testing sites, Security Score sites, or similar will not be eligible for bounty.
Out of Scope Vulnerabilities and Exclusions
Known vulnerabilities are eligible for reward and may be marked as duplicates if the root cause aligns too closely with an already reported issue. Drata intends to award the maximum allowable bounty for every report.
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Missing best practices in Content Security Policy.
- Missing email best practices (for example, invalid, incomplete or missing SPF/DKIM/DMARC records).
- Vulnerabilities affecting users of outdated or unpatched browsers.
- Public Zero-day vulnerabilities that have had an official patch available for less than 1 month will be awarded on a case-by-case basis.
- Open redirect (without additional security impact demonstrated).
