At Domo, we are dedicated to the protection of customer data, our confidential data, and enabling trust across the board. We recognize that security researchers play a very important role in helping us keep Domo and our customers secure. To encourage and streamline the process of responsible reporting of potential security vulnerabilities, the Domo security team is committed to working with security researchers to validate, reproduce and respond to legitimate reports.
If you responsibly submit a vulnerability report, the Domo security team will promptly respond to acknowledge receipt of your vulnerability report. We will also provide an estimated time frame for addressing the reported vulnerability and will notify you when the vulnerability has been resolved.
Domo will not initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they are conducted in accordance with the guidelines listed below . We request that the security community give us an opportunity to fix the reported vulnerabilities before releasing information with/to any third parties.
If you wish to report any suspected vulnerability, please privately share full details of the suspected vulnerability by sending an email to security@domo.com. By including all relevant information in your report, you will enable the Domo security team to validate and reproduce the issue and resolve it in a timely manner.
Please do:
- Privately share the potential security vulnerability with Domo before disclosing to third parties or publicly;
- Provide full step by step details on the reported security vulnerability and the details of the technology involved so that it can be reproduced and validated by Domo to apply the fix;
- Wait for confirmation from the Domo security team that the reported security vulnerability has been remediated. Since some vulnerabilities take longer than others to resolve, it is important to have an open line of communication and to establish expectations on the timing of remediation;
- Report all vulnerabilities that fall within OWASP Top 10 vulnerability categories;
- Report all other vulnerabilities with demonstrated impact to Domo or Domo customer security, including any disclosure of sensitive data.
Please do not:
- Do or fail to do anything that may cause potential or actual harm to Domo or Domo customers, systems, users or applications;
- Exploit a security issue you discover;
- Access or attempt to access any sensitive data;
- Attempt to demonstrate additional compromise of sensitive data or probe for additional issues;
- Execute or attempt to execute any DoS, Spam, Brute Force, etc. types of attack or any other testing that may impact the confidentiality, integrity or availability of Domo systems or data;
- Conduct any kind of physical, electronic or social engineering types of attack on Domo personnel, contractors, property or data centers;
- Report any low impact vulnerabilities such as issues related to password/credential strength, length, lockouts, or lack of brute-force/rate limiting protections, low-impact CSRF (add-delete from cart, nonsevere preference options, etc.), low-impact information disclosures (such as software version disclosures), missing cookie flags, use of a known-vulnerable library which leads to a low-impact vulnerability, etc.;
- Violate any law or breach any agreements in order to discover security vulnerabilities.