Dremio does not have a formal bug bounty program yet. But we welcome submissions and we take action to resolve security issues that are submitted to us in a very timely manner.
Dremio considers some vulnerabilities as out of scope. These include but are not limited to:
- Low Severity Clickjacking Vulnerabilities
- Missing SPF/DKIM/DMARC policies
- Display of Organization IDs during login flow
- User enumeration/brute forcing
- Automated Scans report (without an exploitable PoC)
- Content Spoofing Vulnerabilities
- Denial of Service (DoS)
- Issues present only in older versions of browsers or plugins
- Low Impact CSRF issues, including but not limited to: Login and Logout CSRF
- Missing Rate Limiting Protections (unless corresponding to authentication flow)
- Missing Security Headers and Cookie Flags, which can’t be exploited by themselves ( for example Strict-Transport-Security, HTTPOnly)
- Social engineering and phishing attacks
- Spam e-mail (missing rate limiting protections)
- SSL vulnerabilities related to configuration, version, weak ciphers (without a working exploit)
- Use of a vulnerable 3rd party library/code snippet (without providing an exploitable scenario)
- Vulnerabilities exploitable only on Unsupported and Outdated Browser, Frameworks and Platforms
- Weak password
- Any other submission assessed to be of low/no risk or impact
