Security (2024)

Only findings for domains under this Scope section qualify for an award. Additionally, any findings that have been previously reported and tracked will not be eligible for an award.

https://qa.wandb.ai
https://api.qa.wandb.ai

All other subdomains are excluded from scope.

• Denial of Service (especially, self-DoS issues where only the person doing the action is denied service)
• Rate limiting bypass, except those that have a direct security impact
• Missing DKIM/DMARC/SPF DNS records on domains that do not send email
• Clickjacking on pages with no sensitive actions
• Open redirect, except those that have a direct security impact such as sending authentication tokens to an arbitrary domain
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user’s device
• Previously known vulnerable libraries without a working Proof of Concept
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
• Software version disclosure
• Broken link hijacking

We will only engage with and accept quality reports that include:

• Detailed description of issue with clear, reproducible steps
• Screenshots and/or videos demonstrating a proof-of-concept
• Impact of the vulnerability
• In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
• Use the User-Agent string: “bugbountyresearcher_<your_username>” while testing
• Create a dedicated account to do your testing and include the account email/username in your report
• Only perform testing against your own account
• Make a good faith effort to avoid privacy violations, data destruction, or service degradation

• DO NOT use automated vulnerability scanners/tools
• DO NOT exploit vulnerabilities beyond a proof-of-concept
• DO NOT perform Denial-of-Service or brute-force attacks
• DO NOT perform any attacks against our employees or our end users, including social engineering and phishing attacks
• DO NOT allow testing data to pass through 3rd party infrastructure during testing. Make sure that all traffic goes through domains only you have control over. Exposing vulnerability and sensitive data will result in complete forfeiture of any reward.
• If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as a violation of our Rules of Engagement.

Vulnerabilities can be reported to [email protected].

• In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
• Refer to the Rules of Engagement for additional details for reporting.

Bounties are classified into the following tiers:

Tier 3: Low severity bugs ($50-$100)

• Self-XSS (XSS requiring interaction other than browsing to exploit)
• Server misconfiguration or provisioning errors
• And other low-severity issues as determined by the Weights & Biases Security Team

Tier 2: Medium severity bugs ($100-$300)

• XSS on pages accessible only to members
• Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
• And other medium-severity issues as determined by the Weights & Biases Security Team

Tier 1: High severity bugs ($300-$750)

• XSS on pages accessible without logging in
• Session hijacking
• Member data exfiltration

Tier 0: Critical severity bugs ($750-$1000)

• SQL Injection
• Remote Code Execution
• Privilege Escalation
• SSRF to an internal service

You can request additional information about our SOC2 report, penetration testing, or additional documentation below. Please be explicit in the comment box about your request.