Graylog Security Disclosure Policy

At Graylog, Inc., we are committed to the security of our systems, software and services. We value the contributions of the security community in helping us protect our users and data. If you believe you have discovered a vulnerability in our systems, we encourage you to report it responsibly.

Scope

This policy applies to:

• All public-facing websites and applications operated by Graylog, Inc.
• Any services or APIs explicitly owned and managed by Graylog, Inc.

It does not apply to:

• Third-party services or platforms not operated by us.
• Physical security issues.
• Social engineering attacks (e.g., phishing our employees).

Reporting Guidelines

If you discover a security vulnerability, please:

1. Report it promptly to us by emailing [email protected].
2. Provide a clear description of the issue, including steps to reproduce, potential impact, and any relevant proof-of-concept.
3. Avoid publicly disclosing the issue until we have confirmed and resolved the issue.
4. Act in good faith and do not access, modify, or destroy data that does not belong to you.

Prohibited Activities

When testing, you must not:

• Engage in denial-of-service (DoS/DDoS) attacks.
• Exploit the vulnerability beyond what is necessary to demonstrate it.
• Access or exfiltrate personal data, confidential information, or intellectual property.
• Conduct phishing, spam, or social engineering campaigns against our users or staff.
• Distribution of malware or other software used to compromise systems or exfiltrate data.

What We Commit To:

• We will acknowledge your report within 5 business days.
• We will provide updates on remediation progress.
• We will notify you once the vulnerability has been resolved.
• If you follow this policy, we will not pursue legal action against you for your research.

Recognition

We appreciate and recognize contributions that help improve the security of our systems. While we do not currently operate a paid bug bounty program, we may offer public acknowledgment to researchers who responsibly disclose valid issues. We may also provide limited compensation in the form of our choosing should we deem the contribution worthy of such compensation.
Safe Harbor

When conducting vulnerability research within the guidelines of this policy:

• We consider such research to be authorized and will not initiate legal action against you.
• We will not pursue legal action if your research is conducted in good faith, without malicious intent, and within the boundaries described in this policy.
• If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it clear that your actions were conducted in compliance with our Security Disclosure Policy.

Contact

Please send all vulnerability reports to:
[email protected]

If you need to encrypt sensitive information, please use our PGP key found in the link in our pgp-key.txt file in the link listed in the security.txt file on our main web site.