DataStax provides enterprise organizations with hybrid and multi-cloud data architectures. DataStax looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

• Please register all accounts using your <username>+x@wearehackerone.com addresses whenever possible.

Response Targets

DataStax will make a best effort to meet the following response targets:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 2 business days

• Time to resolution (from triage) - 30 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Testing

Automated Scanning Prohibited

• Where possible, register accounts using your <username>+x@wearehackerone.com addresses.

• Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:

• A header that includes your username: X-Bug-Bounty:HackerOne-<username>

• A header that includes a unique or identifiable flag X-Bug-Bounty:ID-<sha256-flag>

When testing for a bug, please also keep in mind:

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder

• Scripted / API tests must be rate limited to 1 request per second

Rewards

Please see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of DataStax.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Email spoofing, including those related to SPF, DKIM or DMARC

• Directory listing on the download server

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing, or best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Self-XSS

• Enumeration or indirect availability of otherwise free course-ware

• Code or configuration files without an associated POC for in scope assets

• Astra roles / role documentation (under review)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep DataStax and our users safe!