Databricks
THIS PROGRAM DOESN'T REQUIRE H1 VPN
Databricks looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Databricks will make a best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submit) - 5 business days
Time to triage (from report submit) - 10 business days
Time to bounty (from triage) - 10 business days
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Performing social engineering (e.g. phishing, vishing, smishing) is prohibited. However, finding technical flaws that can be used for social engineering (e.g. spoofing, tampering) is allowed.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
Only interact with accounts you own or with explicit permission of the account holder.
All reports must be rated using CVSS v3.0 calculator
Each valid finding into the program is welcome and rewarded. With the intention of getting focus on areas we find more critical for our customers, this program is going to pay an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included):
Privilege Escalation
Insecure Direct Object Reference (IDOR)
Improper Access Control
Also, a $3000 reward is guaranty to the person able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS
Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either un-intended, or violates the security guarantees of the platform.
Notebooks execute as root and all cluster access is root - this is expected. There are no security boundaries within a cluster.
Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.
Please follow the below configuration when creating new clusters:
{F254952}
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a working exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.
Running your own web server on the cluster to create exploits - we are aware of this.
Installing malicious software on services on clusters.
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS or DDoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Azure Portal
Thank you for helping keep Databricks and our users safe!
Databricks extended bounty program:
===========================
Databricks is expanding the H1 program not only to our core application but to a number of services.
Any disruption testing is forbidden. These are production hosts
Network scanning
Passive scanning
DNS scanning
Active vulnerability finding (ie. create fake accounts, requests that could change the inner state of service, etc.)
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Any activity that could lead to the disruption of our service (DoS or DDoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Azure Portal
connect.databricks.com
docs-admin.databricks.com
docs-user.databricks.com
e.databricks.com
go.databricks.com
go.dev.databricks.com
homebrew-tap.dev.databricks.com
ideas.staging.databricks.com
info.databricks.com
it.corp.databricks.com
ok.databricks.com
pages.databricks.com
partnermarketing.databricks.com
signup.cloud.mrkt.databricks.com
signup.dev.mrkt.databricks.com
ssh.databricks.com
ssh.spark-summit.org
staging.spark-summit.org
tools.sec-sf.databricks.com
training.databricks.com
uberlyft-ns.dev.databricks.com
waf-test.corp.databricks.com
academy.databricks.com
accounts.cloud.databricks.com
community.cloud.databricks.com
databricks-prod-cloudfront.cloud.databricks.com
delta.io
demo.cloud.databricks.com
docs.cloud.databricks.com
docs.databricks.com
docs.delta.io
files.training.databricks.com
ftp.databricks.com
go.corp.databricks.com
gw1-ap.corp.databricks.com
gw1-eu.corp.databricks.com
gw1-us.corp.databricks.com
gw2-us.corp.databricks.com
help.corp.databricks.com
help.databricks.com
ideas.databricks.com
kb.azuredatabricks.net
kb.databricks.com
maintenance.databricks.com
partners.databricks.com
pgg11o.hubspot.databricks.com
preferences.databricks.com
sophos.corp.databricks.com
spark-portal.org
spark-summit.com
spark-summit.org
sparkhub.databricks.com
support.databricks.com
unsubscribe.corp.databricks.com
vpn-us.corp.databricks.com
www.databricks.com
www.sparkhub.databricks.com
| Scope Type | Scope Name |
|---|---|
| web_application | databricks.com |
| web_application | https://dbc-a1ba5468-749b.staging.cloud.databricks.com,https://community.cloud.databricks.com/ |
| web_application | connect.databricks.com,databricks-staging-cloudfront.staging.cloud.databricks.com,docs-admin.databricks.com,docs-user.databricks.com,e.databricks.com,go.databricks.com,go.dev.databricks.com,homebrew-tap.dev.databricks.com,ideas.staging.databricks.com,info.databricks.com,it.corp.databricks.com,ok.databricks.com,pages.databricks.com,partnermarketing.databricks.com,signup.cloud.mrkt.databricks.com,signup.dev.mrkt.databricks.com,ssh.databricks.com,ssh.spark-summit.org,staging.spark-summit.org,tools.sec-sf.databricks.com,training.databricks.com,uberlyft-ns.dev.databricks.com,waf-test.corp.databricks.com,academy.databricks.com,accounts.cloud.databricks.com,databricks-prod-cloudfront.cloud.databricks.com,delta.io,demo.cloud.databricks.com,docs.cloud.databricks.com,docs.databricks.com,docs.delta.io,files.training.databricks.com,ftp.databricks.com,go.corp.databricks.com,gw1-ap.corp.databricks.com,gw1-eu.corp.databricks.com,gw1-us.corp.databricks.com,gw2-us.corp.databricks.com |
| web_application | help.corp.databricks.com,help.databricks.com,ideas.databricks.com,kb.azuredatabricks.net,kb.databricks.com,maintenance.databricks.com,partners.databricks.com,pgg11o.hubspot.databricks.com,preferences.databricks.com,sophos.corp.databricks.com,spark-portal.org,spark-summit.com,spark-summit.org,sparkhub.databricks.com,support.databricks.com,unsubscribe.corp.databricks.com,vpn-us.corp.databricks.com,www.databricks.com,www.sparkhub.databricks.com |
| Scope Type | Scope Name |
|---|---|
| web_application | feedback.databricks.com |
| web_application | go.databricks.com |
| web_application | *.cloud.databricks.com |
| web_application | *.azuredatabricks.net |
| web_application | forums.databricks.com |
| web_application | Other subdomains of *.azuredatabricks.net and other ‘o’ parameters |
This program have been found on Hackerone on 2022-02-02.
FireBounty © 2015-2024
