Chronosphere Responsible Disclosure
Security is a top priority for Chronosphere, and we believe that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in Chronosphere’s service, please do not hesitate to notify us; we will work with you to resolve the issue promptly.
Rules of Engagement
Please email details of the vulnerability finding, including information needed to reproduce and validate the vulnerability, to [email protected].
Do not attempt to conduct post-exploitation, including modification or destruction of data, or cause interruption or degradation of Chronosphere services.
Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise, or testing of Chronosphere accounts that are not your own.
Do not attempt to target Chronosphere employees or customers using methods, including social engineering attacks, phishing attacks, and/or physical attacks.
Do not use automated scanners/tools that are not actively monitored or that are not targeted at evaluating specific vulnerabilities or potential exploits.
Do not intentionally view, store, modify, or destroy data that does not belong to you.
You commit to promptly returning or destroying all copies of confidential information and related notes upon the Chronosphere's request.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to respond to critical issues within 5 business days and resolve them within 30 days.
Exclusions
The following vulnerabilities are out of scope. As a result, please refrain from testing and reporting:
Distributed Denial of Service (DDoS) or Denial of Service (DoS)
Spamming
Social engineering or phishing of Chronosphere employees or contractors
Any attacks against Chronosphere’s physical property or data centers
DMARC and SPF records
Content spoofing/text injection
Missing HTTP security headers
Missing cookie flags on non-sensitive cookies
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Vulnerabilities that only affect users of outdated or unpatched browsers and platforms
Security best practices (e.g., security headers, etc.)
Thank you for helping to keep Chronosphere and our users safe!
Changes
We reserve the right to revise these guidelines from time to time. The most current version of the guidelines will be available at https://chronosphere.io/disclosure.
Contact
Chronosphere is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at [email protected].