Banner object (1)

5283 policies in database
  Back Link to program      
DataStax logo
Hall of Fame



DataStax provides enterprise organizations with hybrid and multi-cloud data architectures. DataStax looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

  • due to the effect of scanners on the target, is not currently eligible for bounties *

Response Targets

DataStax will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy


Automated Scanning Prohibited

  • Where possible, register accounts using your addresses.
  • Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:

  • A header that includes your username: X-Bug-Bounty:HackerOne-
  • A header that includes a unique or identifiable flag X-Bug-Bounty:ID-

When testing for a bug, please also keep in mind:

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder
  • Scripted / API tests must be rate limited to 1 request per second


Please see the structured bounty table. Our bounty table provides general guidelines, and all final decisions are at the discretion of DataStax.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Email spoofing, including those related to SPF, DKIM or DMARC
  • Directory listing on the download server
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing, or best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Self-XSS
  • Enumeration or indirect availability of otherwise free course-ware
  • Code or configuration files without an associated POC for in scope assets

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep DataStax and our users safe!

In Scope

Scope Type Scope Name

  • DataStax Enterprise (DSE) [Server, Analytics, Graph, Search]
  • Studio
  • Loss of availability, confidentiality, or integrity of the data from unauthenticated side-channel or protocol attacks on the DSE server (attacks on the native or storage ports)
  • Privilege escalation, or loss of tenancy within CQL
  • JMX related vulnerabilities
  • DDOS attacks using large or high throughput payloads



Out of Scope

Scope Type Scope Name




This program have been found on Hackerone on 2019-12-13.

FireBounty © 2015-2020

Legal notices