supernav-iconEnhance Security & Compliance Posture Using A Risk Management Framework

Contact Sales

  • Sign In
  • Get Started
HomeResponsible Disclosure Policy

Responsible Disclosure Policy

Effective Date: July 12, 2024


Reporting Security Vulnerabilities to Drata

Drata aims to keep its Services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in Drata’s Services, websites, or systems, we appreciate your help in disclosing it to us in a responsible manner.

Our responsible disclosure process is hosted by HackerOne’s bug bounty program and is currently an invite-only program. Vulnerabilities submitted using only the appropriate channel may be eligible for a reward.

To request an invite to disclose a finding to our team, please email our security team at security+bugbounty@drata.com. Once invited to the program, you can access our program to report any security vulnerabilities.

The full bug bounty program rules can be found on our HackerOne page. A few key rules to be aware of before joining that if violated may disqualify you from participation in our bug bounty program:

  • Accessing any customer data is strictly prohibited.

  • Accessing any Drata internal data is strictly prohibited.

  • Submit only one vulnerability at a time unless vulnerabilities are chained together to demonstrate impact.

  • When duplicate submissions occur, we award only the first reproducible report received.

  • Multiple vulnerabilities having a single underlying root cause will be awarded singularly.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Bounty reward amounts are based on severity and are at the discretion of the Drata Security team.

  • Privacy violations, destruction of data, and interruption of degradation of our service must be avoided. You must only use accounts you own or have the explicit permission of the account owner.

  • Results matching findings from SSL/TLS testing sites, Security Score sites, or similar will not be eligible for bounty.The following issues are considered out of scope:

    • Clickjacking on pages with no sensitive actions.

    • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

    • Previously known vulnerable libraries without a working Proof of Concept.

    • Any activity that could lead to the disruption of our service (DoS).

    • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

    • Missing best practices in Content Security Policy.

    • Missing email best practices (for example, invalid, incomplete or missing SPF/DKIM/DMARC records).

    • Vulnerabilities affecting users of outdated or unpatched browsers.

    • Public Zero-day vulnerabilities that have had an official patch available for less than 1 month will be awarded on a case-by-case basis.

    • Open redirect (without additional security impact demonstrated).

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company’s security controls, while streamlining workflows to ensure audit-readiness.

Solutions

StartupScaleEnhanceDrata PlatformIntegrations
Frameworks
SOC 2ISO 27001HIPAAGDPRNIST AI Risk ManagementFedRAMPCustom FrameworksAll Frameworks
Resources
BlogEventsWebinarsReportsSOC 2 HubISO 27001 HubProduct UpdatesCompliance GlossaryAPI Documentation
Company
Careers
HIRING
CustomersAuditorsPartnersPressContact UsLegal
Trust
Security and ComplianceTrust CenterSystem Status
Become a Trusted Newsletter Insider

The latest security and compliance news, delivered.

© 2024 Drata Inc. All rights reserved.

Privacy NoticeLegal