Skip to main content

SignalFx Responsible Vulnerability Disclosure Program

The below only applies to SignalFx Bug Submissions.
For all other Splunk bug submissions, click here.

We are a dedicated team of engineers, who are committed to deliver an outstanding SaaS Monitoring and Analytics Platform in a safe and secure way. To achieve our mission, we would like to partner and start building a relationship with the security research community, with the hope that this relationship gets stronger as the time passes by. 


SignalFx's Responsible Disclosure program does not offer monetary rewards outside of our Private Program on Bugcrowd.


SignalFx Responsible Vulnerability Disclosure Program covers almost everything under the following domain:

  • *

However, the following is excluded from our program:

Third-party websites – Some components and services of SignalFx are either hosted or operated by our vendors or partners(an example would be We can’t authorize you to test such components and services on behalf of the owners and will not reward any such reports. If you are unsure whether a domain is in-scope or not please reach out to us.

In scope vulnerabilities include, but are not limited to:

  • Remote Code Execution (RCE)
  • SQL and XML injections, among other injection vulnerability
  • Cross Tenant Data Leak
  • Disclosure of sensitive or personally identifiable information (PII)
  • Authentication and Authorization vulnerabilities
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) for sensitive functions
  • Directory traversal
  • Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.



Out of scope vulnerabilities include but are not limited to:

  • Attacks involving stolen credentials or physical access to endpoint devices
  • Automated Scans report (without an exploitable PoC)
  • Content Spoofing Vulnerabilities
  • Denial of Service (DoS)
  • DLL hijacking (without escalation of privileges)
  • DNS configuration related issues
  • Host Header Injection (without providing an exploitable scenario)
  • HTTP Trace method is enabled
  • Issues present only in older versions of browsers, plugins or any other software
  • Low Impact CSRF issues, including but not limited to: Login and Logout CSRF
  • Low Severity Clickjacking Vulnerabilities
  • Man-in-the-Middle-Attacks (MITM)
  • Missing Rate Limiting Protections (unless corresponding to authentication flow)
  • Missing SPF/DKIM/DMARC policies
  • Missing Security Headers and Cookie Flags, which cant be exploited by themselves ( for example Strict-Transport-Security, HTTPOnly)
  • Multiple account registration using or manipulating same email ID
  • Physical attacks against SignalFx offices and property
  • Reflected File Download
  • Self XSS (Should be able to attack other users)
  • Server Configuration related issues
  • Social engineering and phishing attacks
  • Spam e-mail (missing rate limiting protections)
  • SSL vulnerabilities related to configuration, version, weak ciphers (without a working exploit)
  • Uploading Files with a different extension than specified
  • Use of a vulnerable 3rd party library/code snippet (without providing an exploitable scenario)
  • User enumeration/brute forcing (for example Login and Forgot Password page)
  • Vulnerabilities exploitable only on Unsupported and Outdated Browser, Frameworks and Platforms
  • Weak password and Unverified email policies
  • Any other submission assessed to be of low risk or impact


Bug Submission Requirements

Please submit your report to

In order to be eligible for Bug Bounty a submission must include the following:

  • Full description of the vulnerability being reported, including the exploitability and impact
  • Steps to replicate
  • Supporting evidence such as:
    • Screenshots
    • Traffic logs
    • Web/API requests and responses
    • IP address used for testing
    • Email address or user ID of any test accounts