Plotly Security Vulnerability Bounty Program
Plotly welcomes reports of serious security issues that substantially affect the confidentiality or integrity of user data. If you believe you have found a serious security vulnerability, please email email@example.com with steps to reproduce the problem. Please allow up to 24 hours for an initial response, or more on weekends.
Plotly Security Advisories have their own page.
We also run a private program on HackerOne. If you’d prefer to report a vulnerability via HackerOne and have a positive Signal statistic on HackerOne, please email us your HackerOne username as well as the email address you use there. (If you don’t currently have any vulnerabilities to report please don’t request an invitation.)
In some cases, we will award monetary compensation (bounties) for these reports. These rewards are entirely up to our security team’s discretion. The amount of the reward is based on the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems.
The following issues are unlikely to be eligible for a bounty:
- Known issues (if we are already aware of vulnerability then we will not issue an award)
- Low impact vulnerabilities, e.g. exploiting the issue requires complex user interaction, or the issue can’t actually be exploited to expose user data
- Issues found through automated testing
- Open ports, unless they can be exploited to compromise the confidentiality or integrity of user data.
- Publicly-released bugs in internet software within 3 days of their disclosure
- “Advisory” or “Informational” reports that do not include any Plotly-specific testing or context
- Denial of Service (DOS) attacks
- Spam or Social Engineering techniques, including SPF and DKIM issues. We do not plan on implementing DMARC at this time.
- Issues relating to Password Policy or session lengths
- Full-Path Disclosure on any property
- Version number information disclosure
- Reports related to HTTP headers or server configuration that aren’t actually exploitable (e.g. HSTS configuration, Host header redirects)
- Bypasses of the “paywall” features (requiring a paid account to access certain features) in Plotly online tools
- Browsable files, directories, folders, buckets, or sites that do not contain confidential data (including
package.json, and similar files), and including internal usernames and IDs. (Passwords are considered confidential except as noted elsewhere in this document.)
- Note that we don’t own the s3 bucket named
plotly. We’re aware that it’s misconfigured but we can’t fix it.
- User enumeration issues, unless they are otherwise exploitable to compromise user accounts
- Open redirect issues on sites that show only static content, or content not editable by end users, such as
- International Domain Name issues or homograph-type issues.
- Like many sites that allow user-supplied content, we allow linking to 3rd party images and iframes. We are aware that this allows 3rd parties to track users who view pages that contain such images and iframes, and that under certain circumstances browsers will display authentication dialogs.
- We are aware that you can sign up for Plotly with a disposable email address, or an email address containing a plus (“+”) sign, and don’t consider this a vulnerability.
- We are aware that password reset tokens, activation tokens, authentication secrets, and the like are sent to 3rd party sites. These are trusted partner sites with good security practices.
- We host several public, read-only databases to allow testing by customers and open source developers. A partial list can be found in the falcon-sql-client repo, and others are on the
test.plotly.hostdomain, but other servers may exist. Before reporting a publicly available server, please make sure it contains confidential data and is not in this list.
- If you change your password, we log out all your other sessions (e.g. in other browsers) as a security precaution. We test this feature regularly and are confident that it works. If you believe you have found an issue with this, please test carefully and enclose proof of the issue you are reporting. As a minimum, please send screenshots of all pages you access along with request and response headers from every action you take. Video proof of concepts will not be accepted here (and are strongly discouraged in general). Also note that it may be necessary to reload the page in the second session in order to confirm that you have been logged out by our backend.
In investigating security issues, we ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not violate any other applicable laws or regulations.
Subject to the restrictions outlined elsewhere in this document, Plotly pays bounties for issues in the following scopes:
- All issues affecting confidentiality of user data or security of user accounts on Plotly Cloud, excluding test or staging servers unless real user data is exposed.
- Issues in any other service running on a
plot.lysubdomain that could be used to attack Plotly Cloud.
- All issues affecting confidentiality of user data or security of user accounts in Plotly On-Premise.
- We are also interested in hearing about security issues in the plotly.js Open Source graphing library, but note that we don’t pay bounties unless the issue affects Plotly Cloud or Plotly On-Premise. (Note that most XSS issues that can be exploited using the plot JSON will affect these sites.)
Additional legal terms
By participating in Plotly’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to Plotly’s terms of service as well as the following:
- You’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
- Plotly reserves the right to modify, terminate or discontinue the Program at its discretion.