Bug bounty program overview
Welcome to the Weights & Biases Bug Bounty Program! We’re thrilled to invite skilled cybersecurity enthusiasts and ethical hackers to join us in fortifying the security of our systems. Our program offers an opportunity for you to leverage your expertise and creativity in identifying vulnerabilities within our digital infrastructure. By participating, you’ll not only contribute to the enhancement of our security posture but also play a crucial role in safeguarding the privacy and integrity of our users’ data. Join us in our mission to create a safer digital environment, and let’s work together to squash bugs and strengthen our defenses.
Scope
Only findings for domains under this Scope section qualify for an award. Additionally, any findings that have been previously reported and tracked will not be eligible for an award.
https://qa.wandb.ai
https://api.qa.wandb.ai
All other subdomains are excluded from scope.
Scope exclusions
- Denial of Service (especially, self-DoS issues where only the person doing the action is denied service)
- Rate limiting bypass, except those that have a direct security impact
- Missing DKIM/DMARC/SPF DNS records on domains that do not send email
- Clickjacking on pages with no sensitive actions
- Open redirect, except those that have a direct security impact such as sending authentication tokens to an arbitrary domain
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
- Software version disclosure
- Broken link hijacking
Rules of engagement
We will only engage with and accept quality reports that include:
- Detailed description of issue with clear, reproducible steps
- Screenshots and/or videos demonstrating a proof-of-concept
- Impact of the vulnerability
- In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
- Use the User-Agent string: “bugbountyresearcher_<your_username>” while testing
- Create a dedicated account to do your testing and include the account email/username in your report
- Only perform testing against your own account
- Make a good faith effort to avoid privacy violations, data destruction, or service degradation
Non-disclosure
Individuals reporting vulnerabilities to Weights & Biases, must sign an NDA. The Weights & Biases Security team will provide you an NDA to sign.
Program policies
- DO NOT use automated vulnerability scanners/tools
- DO NOT exploit vulnerabilities beyond a proof-of-concept
- DO NOT perform Denial-of-Service or brute-force attacks
- DO NOT perform any attacks against our employees or our end users, including social engineering and phishing attacks
- DO NOT allow testing data to pass through 3rd party infrastructure during testing. Make sure that all traffic goes through domains only you have control over. Exposing vulnerability and sensitive data will result in complete forfeiture of any reward.
- If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as a violation of our Rules of Engagement.
Sanctioned countries or entities
Individuals participating in the program may not be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g. Cuba, Iran, North Korea, Syria, the Crimea Region, or any other jurisdiction or area designated by the United States Treasury’s Office of Foreign Assets Control).
Age restrictions
Researchers who would like to submit a vulnerability may not be less than 16 years of age – if you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.
Report a bug
Vulnerabilities can be reported to [email protected].
- In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
- Refer to the Rules of Engagement for additional details for reporting.
Tiers
Bounties are classified into the following tiers:
Tier 3: Low severity bugs ($50-$100)
- Self-XSS (XSS requiring interaction other than browsing to exploit)
- Server misconfiguration or provisioning errors
- And other low-severity issues as determined by the Weights & Biases Security Team
Tier 2: Medium severity bugs ($100-$300)
- XSS on pages accessible only to members
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- And other medium-severity issues as determined by the Weights & Biases Security Team
Tier 1: High severity bugs ($300-$750)
- XSS on pages accessible without logging in
- Session hijacking
- Member data exfiltration
Tier 0: Critical severity bugs ($750-$1000)
- SQL Injection
- Remote Code Execution
- Privilege Escalation
- SSRF to an internal service
Request security info
You can request additional information about our SOC2 report, penetration testing, or additional documentation below. Please be explicit in the comment box about your request.