Panther is a security data analytics platform used for log analysis, cloud security, and data analytics over a vast amount of data. Panther is designed for cloud-first environments and is backed by Serverless components written in Golang, Python, and React.

No technology is perfect, and we believe that working with skilled security researchers across the world is crucial in identifying improvements in any technology. If you have found a security issue, we encourage you to notify us to resolve the issue promptly.

Disclosure Policy

• The vulnerability must result in material, security impact
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Bounty ranges

Bounty amounts are based on severity and will range from $100 to $1,337 USD.

The Panther Labs team reserves the right to make the final call on the specific bounty amount for any issue, but to give you an idea of our priorities, here are some rough ranges for bounties and the types of issues we expect would fall into each range:

Severe issues

Bounty: $500 - $1337

• Remote Code Execution
• SQL/NOSQL injection

Moderate issues

Bounty: $250 - $500

• XSS
• CSRF
• Broken Authentication

Low severity issues

Bounty: $100 - $250

• User data exposure
• Broken session management
• Unvalidated redirects/forwards
• Issues requiring an uncommon configuration option

No Reward

Bounty: $0

• Any behavior which is clearly documented
• Any behavior which is the result of deliberate misconfiguration
• Issues in third-party libraries (please report issues directly to the maintainers)
• Issues discovered while scanning without permission
• The OPTIONS header
• SPF/DKIM/DMARC settings
• Roadmap page (https://portal.productboard.com/runpanther)

Exclusions

While researching, we'd like to ask you to refrain from:

• Testing the embedded website Chat (this is managed by Drift and is out of scope)
• Spamming through forms or any other avenue leading to spam
• WAF bypasses (report to Cloudflare directly)
• Denial of service
• Social engineering (including phishing) of Panther Labs staff or contractors
• Any physical attempts against Panther Labs property or data centers

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Panther users safe!