At ThoughtSpot, fostering relationships with our customers based on trust is of utmost importance. We believe that privacy is a fundamental right and our customer’s privacy and security are always top priorities.
At ThoughtSpot, we take cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential vulnerabilities helps us ensure the security and privacy of our customers and their data. All potential vulnerabilities submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help replicate the potential weakness during triage.
We request that the security community give us an opportunity to fix the reported vulnerabilities before releasing information with/to any third parties. ThoughtSpot will not pursue legal action against those researchers that follow the below guidelines and responsibly disclose any security vulnerabilities directly to ThoughtSpot. ThoughtSpot reserves all legal rights in the event of noncompliance with these program guidelines.
Do not engage in any activity that can potentially or actually cause harm to ThoughtSpot, our customers, or our employees.
Do not engage in any activity that can stop or degrade ThoughtSpot services or assets.
Do not exploit vulnerabilities, e.g., by downloading/accessing more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting, or modifying data. If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any high-risk data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, cease testing and submit a report immediately.
Do not store, share, compromise, or destroy ThoughtSpot or any ThoughtSpot data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact ThoughtSpot ([email protected]). This step protects any potentially vulnerable data, and you.
Do not engage in any activity that violates: (a) federal or state laws or regulations; or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
All information relating to vulnerabilities that you become aware of through the Responsible Disclosure Program is considered confidential ("Confidential Information"). You agree to refrain from disclosing Confidential Information publicly or to any third party and that any ThoughtSpot information that you may encounter, view, acquire, or access, is owned by ThoughtSpot or its customers, clients, or third party providers. You have no rights, title, or ownership in any such information. You agree to honor any request from our Information Security Team to promptly return or destroy all copies of Confidential Information and all notes related to the Confidential Information.
Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.
The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:
Remote Code Execution (RCE).
XML External Entity Injection (XXE).
Sensitive information leaks.
Cross-site scripting (XSS).
Cross-site request forgery (CSRF).
Other vulnerabilities upon the sole discretion of ThoughtSpot.
The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
CSRF configuration issue without exploitable proof of concept.
Missing security headers which do not directly lead to a vulnerability.
Vulnerabilities in third party components, depending on severity and exploitability.
Rate Limit on emails sent during sign-up, sign-in, and change email confirmations.
Previous email login links not invalidated in the event multiple login links are requested.
EXIF not stripped from uploads, unless discoverable outside of the workspace.
Denial of Service (DOS) and rate limiting issues.
Bugs requiring exceedingly unlikely user interaction.
Social engineering attacks.
Flaws affecting the users of out-of-date browsers and plugins.
Enumeration or information disclosure of non-sensitive information.
Enumeration of information within the context of a single workspace.
Lack of input validation without exploitable proof of concept.
Email bombing and flooding.
Email security configurations - SPF, DKIM, DMARC.
Please submit any inquiries or submissions via [email protected]. Any unauthorized activity outside the terms of this program may be subject to legal action pursuant to applicable laws and company policies. If, at any time, you have concerns or are uncertain whether your security research is consistent with the terms of this program, stop testing and contact [email protected].
Email communication between you and ThoughtSpot, including without limitation, emails you send to ThoughtSpot reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to ThoughtSpot shall be considered non-proprietary. ThoughtSpot, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, ThoughtSpot and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to ThoughtSpot for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting ThoughtSpot a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.