If you think you have found a security vulnerability, please send us a report. We prefer reports via our Bug Bounty program, but also accept reports via email. Any of Grafana Labs' open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com) are in scope.
To submit a bug bounty report, see our Intigriti program page.
Note that you must create an account on Intigriti to submit a report. The program page contains information on what is and is not in scope, as well as the reward structure. Only reports via Intigriti are eligible for a reward.
Important: We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Please note that reports sent over email are not eligible for a reward. If you want to be eligible for a reward, please submit your report via our preferred method, the Bug Bounty program.
To send us a report over email, contact us at [email protected]. We will only accept vulnerability reports at this address; if you are looking for other security information, please contact our support team on our website.
Please encrypt your message to us; please use our PGP key. The key fingerprint is:
225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
We will post a summary, remediation, and mitigation details for any patch containing security fixes on the Grafana blog. The security announcement blog posts will be tagged with the security tag.
You can also track security announcements via the RSS feed.