Plotly Security & Vulnerability Program

Plotly welcomes reports of serious security issues that substantially affect the confidentiality or integrity of user data in Dash Enterprise, Chart Studio Enterprise, and Chart Studio Cloud, as well as serious security issues that affect Dash Apps hosted on Dash Enterprise. If you believe you have found a serious security vulnerability, please email security@plot.ly with steps to reproduce the problem. Please allow up to 24 hours for an initial response, or more on weekends.

Plotly Security Advisories have their own page.

We also run a private program on HackerOne. If you’d prefer to report a vulnerability via HackerOne and have a positive Signal statistic on HackerOne, please email us your HackerOne username as well as the email address you use there. (If you don’t currently have any vulnerabilities to report please don’t request an invitation.)

Rewards

In some cases, we will award monetary compensation (bounties) for these reports. These rewards are entirely up to our security team’s discretion. The amount of the reward is based on the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems.

Exclusions

The following issues are unlikely to be eligible for a bounty:

  • Known issues (if we are already aware of vulnerability then we will not issue an award)
  • Low impact vulnerabilities, e.g. exploiting the issue requires complex user interaction, or the issue can’t actually be exploited to expose user data
  • Issues found through automated testing
  • Open ports, unless they can be exploited to compromise the confidentiality or integrity of user data.
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • “Advisory” or “Informational” reports that do not include any Dash Enterprise or Chart Studio-specific testing or context
  • Denial of Service (DOS) attacks
  • Spam or Social Engineering techniques, including SPF and DKIM issues. We do not plan on implementing DMARC at this time.
  • Issues relating to Password Policy or session lengths
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Reports related to HTTP headers or server configuration that aren’t actually exploitable (e.g. HSTS configuration, Host header redirects)
  • Bypasses of the “paywall” features (requiring a paid account to access certain features) in Plotly online tools
  • Browsable files, directories, folders, buckets, or sites that do not contain confidential data (including .htaccess, gemfile.lock, yarn.lock, package.json, and similar files), and including internal usernames and IDs. (Passwords are considered confidential except as noted elsewhere in this document.)
  • Note that we don’t own the s3 bucket named plotly. We’re aware that it’s misconfigured but we can’t fix it.
  • User enumeration issues, unless they are otherwise exploitable to compromise user accounts
  • Open redirect issues on sites that show only static content, or content not editable by end users, such as blog.plot.ly, plot.ly, or moderndata.plot.ly.
  • International Domain Name issues or homograph-type issues.
  • Like many sites that allow user-supplied content, we allow linking to 3rd party images, iframes, and websites. We are aware that this allows 3rd parties to track users who view pages that contain such images and iframes, and that under certain circumstances browsers will display authentication dialogs. We are aware that it’s possible to include links to malicious sites from certain areas of Chart Studio Cloud.
  • We are aware that you can sign up for Chart Studio Cloud with a disposable email address, or an email address containing a plus (“+”) sign, and don’t consider this a vulnerability.
  • We are aware that password reset tokens, activation tokens, authentication secrets, and the like are sent to 3rd party sites. These are trusted partner sites with good security practices.
  • We host several public, read-only databases to allow testing by customers and open source developers. A partial list can be found in the falcon-sql-client repo, and others are on the test.plotly.host domain, but other servers may exist. Before reporting a publicly available server, please make sure it contains confidential data and is not in this list.
  • If you change your password, we log out all your other sessions (e.g. in other browsers) as a security precaution. We test this feature regularly and are confident that it works. If you believe you have found an issue with this, please test carefully and enclose proof of the issue you are reporting. As a minimum, please send screenshots of all pages you access along with request and response headers from every action you take. Video proof of concepts will not be accepted here (and are strongly discouraged in general). Also note that it may be necessary to reload the page in the second session in order to confirm that you have been logged out by our backend.
  • We’re aware that it is possible to log out Chart Studio Cloud users using a GET request, i.e. “drive by logout”.
  • We are aware that it’s possible to bypass our login rate limiting using multiple IP addresses (e.g. through tor).
  • We are not concerned about Wordpress open redirect, 401 response injection, or xmlrpc.php issues.
  • We’re aware that tabnapping is possible in Chart Studio cloud under certain conditions.
  • We’re aware that it’s possible to connect to plotly.com and related sites with weak SSL / TLS versions and ciphers. This is a tradeoff to increase compatibility with older browsers. Note that modern browsers connect with strong ciphers despite the availablility of others.

Investigation

In investigating security issues, we ask that:

  • You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  • You do not violate any other applicable laws or regulations.

Scope

Subject to the restrictions outlined elsewhere in this document, Plotly pays bounties for issues in the following scopes:

  • Issues affecting the public Dash App Gallery, including the ability to permanently modify any running app or its settings.
  • Issues affecting the public Dash App Playground, including the ability to permanently modify any running app or its settings or gain access to unauthorized views (/Manager, /Portal).
  • Access to the Dash App Gallery Admin Console or the Playground Admin Console
  • Issues affecting the confidentiality of user data or security of user accounts in the customer-hosted version of Dash Enterprise
  • All issues affecting confidentiality of user data or security of user accounts on Chart Studio Cloud, excluding test or staging servers unless real user data is exposed.
  • Issues in any other service running on a plot.ly subdomain that could be used to attack Chart Studio Cloud.
  • All issues affecting confidentiality of user data or security of user accounts in Chart Studio Enterprise.
  • We are also interested in hearing about security issues in the plotly.js Open Source graphing library, but note that we don’t pay bounties unless the issue affects Chart Studio Cloud or Chart Studio Enterprise. (Note that most XSS issues that can be exploited using the plot JSON will affect these sites.)

By participating in Plotly’s Security & Vulnerability Program (the “Program”), you acknowledge that you have read and agree to Plotly’s terms of service as well as the following:

  • You’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.
  • Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
  • You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
  • Plotly reserves the right to modify, terminate or discontinue the Program at its discretion.