Responsible Disclosure of Security Vulnerabilities
If you've discovered a security vulnerability, we appreciate your help in
disclosing it to us in a responsible manner.
- How to Disclose a Vulnerability
- If you've discovered a security concern, please email us at
disclosing a vulnerability can put the entire community at risk.
- We appreciate your assistance & will happily offer recognition
for submissions of security bugs.
- Please include:
- A summary of the problem
- A sequence of steps that can be used to reproduce the problem
- How you would prefer to be attributed on this page
- We'll work with you to make sure that we understand the scope of
the issue, and that we fully address your concern. We consider
correspondence sent to firstname.lastname@example.org
our highest priority and work to address any issues as quickly as possible.
- Please act in good faith towards our users' privacy and data during your
disclosure. We won't take legal action against you or administrative action
against your account if you act accordingly. White hat researchers are
- What does not qualify?
- Bugs, such as XSS, that only affect legacy browser/plugin
- Bugs, such as timing attacks or page content checks, that
prove the existence of an account owner.
- Disclosure of public information and information that does not
present significant risk.
- Bugs that have already been submitted by another user or that
we are already aware of.
- Bugs in content/services that are not owned/operated by
Librato. This includes the Librato blog (blog.librato.com),
support site (support.metrics.librato.com), live chat
(chat.librato.com) and any other third party service.
- Vulnerabilities that Librato determines to be an accepted
- Rules for participation
- Don’t attempt to gain access to another user’s account or
- Don’t perform any attack that could harm the
reliability/integrity of our services or data. DDoS/spam
attacks are not allowed.
- Don’t publicly disclose a bug before it has been fixed.
- Only test for vulnerabilities on sites you know to be operated
by Librato. Some sites hosted on subdomains of librato.com are
operated by third parties.
- Don’t use scanners or automated tools to find
vulnerabilities. They’re noisy.
- Never attempt non-technical attacks such as social
engineering, phishing, or physical attacks against our
employees, users, or infrastructure.
- When in doubt, email us.
- Thank you so much to users who have responded with responsible
- We appreciate your help in keeping the Librato community
- Last Updated: April 3, 2017