Responsible Disclosure of Security Vulnerabilities

If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

How to Disclose a Vulnerability
If you've discovered a security concern, please email us at
Publicly disclosing a vulnerability can put the entire community at risk.
We appreciate your assistance & will happily offer recognition for submissions of security bugs.
Please include:
  • A summary of the problem
  • A sequence of steps that can be used to reproduce the problem
  • How you would prefer to be attributed on this page
We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to our highest priority and work to address any issues as quickly as possible.
Please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you or administrative action against your account if you act accordingly. White hat researchers are always appreciated.
What does not qualify?
  • Bugs, such as XSS, that only affect legacy browser/plugin versions.
  • Bugs, such as timing attacks or page content checks, that prove the existence of an account owner.
  • Disclosure of public information and information that does not present significant risk.
  • Bugs that have already been submitted by another user or that we are already aware of.
  • Bugs in content/services that are not owned/operated by Librato. This includes the Librato blog (, support site (, live chat ( and any other third party service.
  • Vulnerabilities that Librato determines to be an accepted risk.
Rules for participation
  • Don’t attempt to gain access to another user’s account or data.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Don’t publicly disclose a bug before it has been fixed.
  • Only test for vulnerabilities on sites you know to be operated by Librato. Some sites hosted on subdomains of are operated by third parties.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, email us.
Thank you so much to users who have responded with responsible disclosures.
We appreciate your help in keeping the Librato community safe!





Last Updated: May 19, 2017