[{"id":3775372,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n**Free Edition**: [Sign up here](https://login.databricks.com/?dbx_source=docs\u0026intent=CE_SIGN_UP) for a personal workspace. This edition has [specific limitations](https://docs.databricks.com/aws/en/getting-started/free-edition-limitations/), such as the absence of Scala and custom compute.\n**Enterprise Workspace**: To test features not available on Free Edition, use the HackerOne Request Credential button. You will be invited to a managed workspace.  Note: You will not have administrative privileges in this environment.\n\n* For both starting points, your home page will show different resources and video links. These can help you become familiar with the complicated Databricks environment.\n* For further information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n- **Conduct your research and reporting through your HackerOne account, including any accounts you create for testing,** so all of your activity stays tied to your researcher identity.\n- **Keep email correspondence tied to your account as well** (`\u003cyour-username\u003e@wearehackerone.com`). When you contact us in another way, we have no reliable way to verify your identity.\n\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.\n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n* Databricks AI assistive features that return information easily findable via search engines are not vulnerabilities, and reports of such outputs are not eligible for bounty.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Databricks AI assistive features\",\"details\":\"Reports that Databricks AI assistive features produced content easily findable via search engines.\"}"],"timestamp":"2026-06-02T16:58:58.755Z"},{"id":3775365,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n**Free Edition**: [Sign up here](https://login.databricks.com/?dbx_source=docs\u0026intent=CE_SIGN_UP) for a personal workspace. This edition has [specific limitations](https://docs.databricks.com/aws/en/getting-started/free-edition-limitations/), such as the absence of Scala and custom compute.\n**Enterprise Workspace**: To test features not available on Free Edition, use the HackerOne Request Credential button. You will be invited to a managed workspace.  Note: You will not have administrative privileges in this environment.\n\n* For both starting points, your home page will show different resources and video links. These can help you become familiar with the complicated Databricks environment.\n* For further information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.\n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n* Databricks AI assistive features that return information easily findable via search engines are not vulnerabilities, and reports of such outputs are not eligible for bounty.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Databricks AI assistive features\",\"details\":\"Reports that Databricks AI assistive features produced content easily findable via search engines.\"}"],"timestamp":"2026-06-02T16:11:01.983Z"},{"id":3768977,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n**Free Edition**: [Sign up here](https://login.databricks.com/?dbx_source=docs\u0026intent=CE_SIGN_UP) for a personal workspace. This edition has [specific limitations](https://docs.databricks.com/aws/en/getting-started/free-edition-limitations/), such as the absence of Scala and custom compute.\n**Enterprise Workspace**: To test features not available on Free Edition, use the HackerOne Request Credential button. You will be invited to a managed workspace.  Note: You will not have administrative privileges in this environment.\n\n* For both starting points, your home page will show different resources and video links. These can help you become familiar with the complicated Databricks environment.\n* For further information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.\n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2026-01-29T20:36:08.495Z"},{"id":3767611,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* There are two ways to start:\n  * Quickest is to simply create a Free Edition account: https://login.databricks.com/?dbx_source=docs\u0026intent=CE_SIGN_UP This is our \"serverless\" product. You will have access to admin features of your own \"workspace\".\n  * Also, you may request credentials from the HackerOne Request Credential feature. You will be invited as a participant in a pre-built \"workspace\". There may be interesting differences in feature set and configuration to the Free Edition.\n* For both starting points, your home page will show different resources and video links. These can help you become familiar with the complicated Databricks environment.\n* For further information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.\n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2025-12-19T02:28:57.294Z"},{"id":3767509,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Cross-Site Scripting (XSS) vulnerabilities, including those demonstrated to enable one-click Account Takeover (ATO), will generally be triaged as High Severity because they require user interaction and typically impact only a single user session. The role of the targeted user does not, by itself, increase severity.\n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2025-12-17T16:03:23.611Z"},{"id":3766638,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! \n\nIn addition to our Program Highlights, we commit to:\n* Treating every researcher with professional respect, valuing your time and effort, and communicating openly.\n* Providing Testimonials for reports that are Critical, High, or exceptionally creative.\n* Offering retests for reports where retesting makes sense.\n\nPlease don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2025-11-26T21:00:45.089Z"},{"id":3766563,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects such as those present on the DBR are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2025-11-25T21:11:52.013Z"},{"id":3766562,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects are not eligible for bounty\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}"],"timestamp":"2025-11-25T21:10:23.980Z"},{"id":3766268,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n\nTechnical Details\n-----------------\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-18T05:53:50.569Z"},{"id":3766261,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.\n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-18T03:26:54.729Z"},{"id":3766259,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with Redash. |\n\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-17T23:15:17.733Z"},{"id":3766258,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from the its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with redash. |\n\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-17T23:10:24.312Z"},{"id":3766257,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOpen source projects\n----------------------\n* Apache Spark - Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. \n* MLFlow - Note that Databricks Managed MLFlow is not the same as its open-source cousin.  Please report issues with Databricks Mangaged MLFlow to this program and issues with open source MLFlow to their [program](https://github.com/mlflow/mlflow/security).  \n* Redash - Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with redash.\n\n\n| Project | Details | \n| ---- | ---- |\n| Apache Spark | Apache Software Foundation is the Official Owner / Maintainer of Apache Spark.  Please follow their [security guidelines](https://spark.apache.org/security.htm) for vulnerabilities involving Apache Spark. | \n| MLFlow |  Databricks Managed MLFlow differs from the its open-source cousin.  Please report issues with Databricks Managed MLFlow to this program and issues with open source MLFlow via their [security page](https://github.com/mlflow/mlflow/security).  \n| Redash |  Redash is an open source project owned by the community.  Please refer to their [security policy](https://github.com/getredash/redash/security) to report issues with redash. |\n\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-17T23:08:25.935Z"},{"id":3766156,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-14T17:54:05.918Z"},{"id":3766155,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-14T17:31:28.453Z"},{"id":3766154,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"The Databricks team is thrilled to invite the security research community to test the resilience of our unified data and AI platform. As fellow hackers and builders, we deeply respect the grit and ingenuity required to find impactful vulnerabilities. We are committed to treating every researcher with professional respect while valuing your time and effort! The Databricks Platform is inherently complex, so we encourage you to roll up your sleeves and dig deep! Please don't hesitate to contact us if you have any questions getting started or along the way: bugbounty@databricks.com. We look forward to rewarding your good findings soon!","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-14T17:29:47.589Z"},{"id":3766106,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-14T04:44:17.733Z"},{"id":3766081,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-13T17:23:10.967Z"},{"id":3766072,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-13T17:11:44.909Z"},{"id":3765979,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-11-11T20:13:46.817Z"},{"id":3765902,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-11T16:36:44.568Z"},{"id":3765862,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-10T22:44:22.868Z"},{"id":3765861,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-10T22:42:20.062Z"},{"id":3765774,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-08T05:25:20.031Z"},{"id":3765773,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-08T05:01:00.293Z"},{"id":3765590,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-05T17:57:49.108Z"},{"id":3764855,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-20T15:59:10.049Z"},{"id":3742593,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* Databricks Product Walkthroughs for Researchers - F3696045\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-21T21:42:34.351Z"},{"id":3723026,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please request credentials from the HackerOne Request Credential feature.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-08T15:20:34.942Z"},{"id":3705349,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nCreating your Databricks Accounts\n=================\n\n* Please fill out the form ( https://forms.gle/JnHDuAjHh7H6SQQd7 ) so we can provide you with testing credentials, including demo accounts to use for your research.\n* For information on using Databricks, please visit https://docs.databricks.com/.\n* Databricks Architecture Overview: https://docs.databricks.com/en/getting-started/overview.html\n* There is an extra bonus of 25$ on valid reports if you include the below :\n\t1. Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:\n A header that includes your username: X-Bug-Bounty:HackerOne-\u003cusername\u003e\n\t2.  Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.\n\nGeneral Program Rules\n==============\n* To be eligible for a reward under this program, you must:\nBe the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you.\n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator.\n* Reports with same-bug-different-host would be rewarded as a 100$ bounty for non customer endpoints. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* **Vulnerabilities found on subdomains of \\*.cloud.databricks.com which are not explicitly listed in scope**\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Sending vulnerability reports using automated tools without validation\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-17T14:54:43.754Z"},{"id":3685650,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nGeneral Program Rules\n=================\n\nTo be eligible for a reward under this program, you must:\n* Be the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you. \n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\nPriority Vulnerability Reward\n=====================\n**25% Additional Bounty.** Databricks will reward an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included in this priority vulnerability reward):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\n\n**$3000 Cluster Breakout.** A $3000 reward is guaranteed to the researcher able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nResources \u0026 Getting Started\n=====================\nDatabricks Test Accounts \u0026 Credentials\n----------------------------------------\nPlease fill out the form ( https://forms.gle/JnHDuAjHh7H6SQQd7 ) so we can provide you with testing credentials, including demo (fake) accounts for use for your research. \nPlatform Documentation\n------------------------\nFor information on using Databricks, please visit https://docs.databricks.com/.\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Vulnerabilities in open source projects are not eligible for bounty. Reports of such vulnerabilities will be accepted, but will not be rewarded.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nExtended Assets\n============\nThe out-of-scope vulnerabilities for extended assets is the same as those listed above. Vulnerabilities in scope:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\nMain Test Site\n===========\nhttps://dbc-a1ba5468-749b.staging.cloud.databricks.com\n\nExtended Asset List\n===============\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* databricks.com\n* sparkhub.databricks.com\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-31T11:58:15.903Z"},{"id":3679254,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-terms-and-conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nGeneral Program Rules\n=================\n\nTo be eligible for a reward under this program, you must:\n* Be the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you. \n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\nPriority Vulnerability Reward\n=====================\n**25% Additional Bounty.** Databricks will reward an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included in this priority vulnerability reward):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\n\n**$3000 Cluster Breakout.** A $3000 reward is guaranteed to the researcher able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nResources \u0026 Getting Started\n=====================\nDatabricks Test Accounts \u0026 Credentials\n----------------------------------------\nPlease fill out the form ( https://forms.gle/JnHDuAjHh7H6SQQd7 ) so we can provide you with testing credentials, including demo (fake) accounts for use for your research. \nPlatform Documentation\n------------------------\nFor information on using Databricks, please visit https://docs.databricks.com/.\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Known vulnerabilities in other third-party/open source libraries will not be eligible for bounty.  Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nExtended Assets\n============\nThe out-of-scope vulnerabilities for extended assets is the same as those listed above. Vulnerabilities in scope:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\nMain Test Site\n===========\nhttps://dbc-a1ba5468-749b.staging.cloud.databricks.com\n\nExtended Asset List\n===============\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* databricks.com\n* sparkhub.databricks.com\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-31T21:35:17.694Z"},{"id":3679252,"new_policy":"As part of Databricks’ commitment to security, we reward security researchers who find and report to us critical security vulnerabilities and help us keep our business and customers safe. By participating in this program, you are agreeing to the Databricks [terms and conditions](#user-content-Terms-and-Conditions).\n\nIf you have any questions about the program, please reach out to bugbounty@databricks.com. \nGeneral Program Rules\n=================\n\nTo be eligible for a reward under this program, you must:\n* Be the first researcher to report the issue to the Databricks Security team.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with express written permission of the account holder. Our security team is here to support your research and collaborate with you. \n* Use your best judgment to avoid unintentional access to customer information. As part of your research, do not modify any files or user or customer data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.\n* Contact us immediately if you inadvertently encounter user or customer data, and immediately and securely purge any data belonging to anyone other than you that you acquire upon reporting the vulnerability to Databricks.\n* Do not disclose your report or the vulnerability without prior express written permission from Databricks.\n* Conduct your research on in-scope assets (see Resources \u0026 Getting Started).\n\nReport and Reward Guidelines\n=======================\n* Your report must be detailed and reproducible. Reports lacking the necessary information to enable Databricks to reproduce the issue are not eligible for reward. \n* All reports must be rated using CVSS v3.0 calculator. \n* When reporting, submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact or demonstrate the issue. \n* If an issue requires the execution of multiple exploits, the chain and the report must include both compiled and source versions, everything needed to execute the chain, and a sample non-destructive payload, if needed. \n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Review HackerOne’s disclosure guidelines ( https://www.hackerone.com/disclosure-guidelines ) prior to disclosing an issue under this program. Where there is a conflict between the disclosure guidelines and this Databricks program policy, use this program policy’s guidance.\n\nPriority Vulnerability Reward\n=====================\n**25% Additional Bounty.** Databricks will reward an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included in this priority vulnerability reward):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\n\n**$3000 Cluster Breakout.** A $3000 reward is guaranteed to the researcher able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS.\n\n# Terms and Conditions\n**Applicable Laws.** You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you access or use Databricks services. \n**Bounty.** Databricks bug bounties are granted solely at Databricks’ discretion.\n**Data.** Your testing must not violate any law, or disrupt, compromise or damage data or property that is not your own. This includes attacking any devices or accounts other than your own (or those for which you have express written permission) and using social engineering (e.g., phishing, vishing, smishing) techniques. However, finding technical flaws that can be used for social engineering, such as spoofing or tampering, is allowed.  \n**Finances.** You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.\n**General Eligibility \u0026 Sanctions.** We are unable to issue rewards to individuals who are employed by Databricks, Inc.; are an immediate family member of a person employed by Databricks, Inc.; or have less than 18 years of age.  We are also unable to issue rewards to individuals who are in any U.S. embargoed countries or on the U.S. Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List or any other restricted party lists.\n**Research.** Immediately both stop your research and notify Databricks using the reporting process before any of the following occur:\n    * You access any accounts or data other than your own (or those for which you have express written permission from their owners)\n    * You disrupt any Databricks service\n    * You access a non-customer facing Databricks system. \n\nIf you have already accessed data other than your own, and acquired it, contact us immediately,  and securely purge any data you have acquired upon reporting the vulnerability to Databricks.\n**Safe Harbor.** A participant in this program will not be deemed to be in breach of applicable Databricks terms for in-scope actions performed by the participant where all of the following are met:\n    * The actions were performed during good-faith security research, which was, or was intended to be, responsibly reported to Databricks; \n    * The actions were performed strictly during participation in the Databricks bug bounty program; and\n    * Neither the actions nor the participant have otherwise violated these policies, such as the Data and Research sections within these Terms.\n\nResources \u0026 Getting Started\n=====================\nDatabricks Test Accounts \u0026 Credentials\n----------------------------------------\nPlease fill out the form ( https://forms.gle/JnHDuAjHh7H6SQQd7 ) so we can provide you with testing credentials, including demo (fake) accounts for use for your research. \nPlatform Documentation\n------------------------\nFor information on using Databricks, please visit https://docs.databricks.com/.\nTechnical Details\n-----------------\n* This program does not require H1 VPN. \n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either unintended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n\nOut of Scope Vulnerabilities\n=====================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Subdomain takeover\n* Known vulnerabilities in other third-party/open source libraries will not be eligible for bounty.  Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nExtended Assets\n============\nThe out-of-scope vulnerabilities for extended assets is the same as those listed above. Vulnerabilities in scope:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\nMain Test Site\n===========\nhttps://dbc-a1ba5468-749b.staging.cloud.databricks.com\n\nExtended Asset List\n===============\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* databricks.com\n* sparkhub.databricks.com\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-31T21:33:09.262Z"},{"id":3677824,"new_policy":"THIS PROGRAM DOESN'T REQUIRE H1 VPN\n\nDatabricks looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nDatabricks will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days\n* Time to bounty (from triage) - 10 business days\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Performing social engineering (e.g. phishing, vishing, smishing) is prohibited. However, finding technical flaws that can be used for social engineering (e.g. spoofing, tampering) is allowed.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Only interact with accounts you own or with explicit permission of the account holder.\n* All reports must be rated using CVSS v3.0 calculator\n\n# Priority Vulnerability Reward\nEach valid finding into the program is welcome and rewarded. With the intention of getting focus on areas we find more critical for our customers, this program is going to pay an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\nAlso, a $3000 reward is guaranty to the person able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS\n\n\n# [Databricks Credentials](https://forms.gle/JnHDuAjHh7H6SQQd7)\n* Please fill out the form above to be provided with testing credentials.\n\n# Documentation\n* For information on using Databricks, please visit https://docs.databricks.com/.\n\n# IMPORTANT - PLEASE READ\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either un-intended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n * Please follow the below configuration when creating new clusters:\n{F254952}\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Subdomain takeover\n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a working exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nThank you for helping keep Databricks and our users safe!\n\n\nDatabricks extended bounty program:\n===========================\nDatabricks is expanding the H1 program not only to our core application but to a number of services. \n\n**Any disruption testing is forbidden. These are production hosts**\n\n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a PoC exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n\n##In scope for extended assets:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\n##Out of scope for extended assets is the following:\n* Active vulnerability finding (ie. create fake accounts, requests that could change the inner state of service, etc.)\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\n##Main test site:\n* dbc-a1ba5468-749b.staging.cloud.databricks.com\n\n##Extended assets list:\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* www.databricks.com\n* www.sparkhub.databricks.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-28T20:12:50.892Z"},{"id":3671686,"new_policy":"THIS PROGRAM DOESN'T REQUIRE H1 VPN\n\nDatabricks looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nDatabricks will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days\n* Time to bounty (from triage) - 10 business days\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Performing social engineering (e.g. phishing, vishing, smishing) is prohibited. However, finding technical flaws that can be used for social engineering (e.g. spoofing, tampering) is allowed.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Only interact with accounts you own or with explicit permission of the account holder.\n* All reports must be rated using CVSS v3.0 calculator\n\n# Priority Vulnerability Reward\nEach valid finding into the program is welcome and rewarded. With the intention of getting focus on areas we find more critical for our customers, this program is going to pay an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\nAlso, a $3000 reward is guaranty to the person able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS\n\n\n# [Databricks Credentials](https://forms.gle/JnHDuAjHh7H6SQQd7)\n* Please fill out the form above to be provided with testing credentials.\n\n# Documentation\n* For information on using Databricks, please visit https://docs.databricks.com/.\n\n# IMPORTANT - PLEASE READ\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either un-intended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n * Please follow the below configuration when creating new clusters:\n{F254952}\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a working exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nThank you for helping keep Databricks and our users safe!\n\n\nDatabricks extended bounty program:\n===========================\nDatabricks is expanding the H1 program not only to our core application but to a number of services. \n\n**Any disruption testing is forbidden. These are production hosts**\n\n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a PoC exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n\n##In scope for extended assets:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\n##Out of scope for extended assets is the following:\n* Active vulnerability finding (ie. create fake accounts, requests that could change the inner state of service, etc.)\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\n##Main test site:\n* dbc-a1ba5468-749b.staging.cloud.databricks.com\n\n##Extended assets list:\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* www.databricks.com\n* www.sparkhub.databricks.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-05-18T17:08:41.302Z"},{"id":3666310,"new_policy":"THIS PROGRAM DOESN'T REQUIRE H1 VPN\n\nDatabricks looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nDatabricks will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days\n* Time to bounty (from triage) - 10 business days\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Performing social engineering (e.g. phishing, vishing, smishing) is prohibited. However, finding technical flaws that can be used for social engineering (e.g. spoofing, tampering) is allowed.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Only interact with accounts you own or with explicit permission of the account holder.\n* All reports must be rated using CVSS v3.0 calculator\n\n# Priority Vulnerability Reward\nEach valid finding into the program is welcome and rewarded. With the intention of getting focus on areas we find more critical for our customers, this program is going to pay an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\nAlso, a $3000 reward is guaranty to the person able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS\n\n\n# [Databricks Credentials](https://forms.gle/JnHDuAjHh7H6SQQd7)\n* Please fill out the form above to be provided with testing credentials.\n\n# Documentation\n* For information on using Databricks, please visit https://docs.databricks.com/.\n\n# IMPORTANT - PLEASE READ\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either un-intended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n * Please follow the below configuration when creating new clusters:\n{F254952}\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a working exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nThank you for helping keep Databricks and our users safe!\n\n\nDatabricks extended bounty program:\n===========================\nDatabricks is expanding the H1 program not only to our core application but to a number of services. \n\n**Any disruption testing is forbidden. These are production hosts**\n\n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a PoC exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n\n##In scope for extended assets:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\n##Out of scope for extended assets is the following:\n* Active vulnerability finding (ie. create fake accounts, requests that could change the inner state of service, etc.)\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\n##Main test site:\n* dbc-a1ba5468-749b.staging.cloud.databricks.com\n\n##Extended assets list:\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* jamf-cdn.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* jamf.corp.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* www.databricks.com\n* www.sparkhub.databricks.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-09T19:14:24.010Z"},{"id":3665692,"new_policy":"THIS PROGRAM DOESN'T REQUIRE H1 VPN\n\nDatabricks looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nDatabricks will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days\n* Time to bounty (from triage) - 10 business days\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Performing social engineering (e.g. phishing, vishing, smishing) is prohibited. However, finding technical flaws that can be used for social engineering (e.g. spoofing, tampering) is allowed.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Only interact with accounts you own or with explicit permission of the account holder.\n\n# Priority Vulnerability Reward\nEach valid finding into the program is welcome and rewarded. With the intention of getting focus on areas we find more critical for our customers, this program is going to pay an additional 25% bounty on the selected category of vulnerabilities in our main testing site (extended program assets are not included):\n* Privilege Escalation\n* Insecure Direct Object Reference (IDOR)\n* Improper Access Control\nAlso, a $3000 reward is guaranty to the person able to break out of our current cluster container (LXC) and execute privileged commands in adjacent LXC containers or the Host OS\n\n\n# [Databricks Credentials](https://forms.gle/JnHDuAjHh7H6SQQd7)\n* Please fill out the form above to be provided with testing credentials.\n\n# Documentation\n* For information on using Databricks, please visit https://docs.databricks.com/.\n\n# IMPORTANT - PLEASE READ\n* Databricks is a Remote Code Execution environment, thus most instances of RCE are considered to be part of the product, and not vulnerabilities. Please do not report remote code execution unless you believe it is either un-intended, or violates the security guarantees of the platform.\n* Notebooks execute as root and all cluster access is root  - this is expected. There are no security boundaries within a cluster.\n* Please be aware the Databricks product allows launching of Spark clusters on Azure, and these clusters cost us money to run. Please be mindful of this and do not create excessive clusters.\n * Please follow the below configuration when creating new clusters:\n{F254952}\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a working exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n* Running your own web server on the cluster to create exploits - we are aware of this.\n* Installing malicious software on services on clusters.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\nThank you for helping keep Databricks and our users safe!\n\n\nDatabricks extended bounty program:\n===========================\nDatabricks is expanding the H1 program not only to our core application but to a number of services. \n\n**Any disruption testing is forbidden. These are production hosts**\n\n* Known vulnerabilities in other third-party/open source libraries will be eligible for bounty if a PoC exploit is provided. Reports of libraries that need to be patched will still be accepted, but not rewarded with a bounty unless an exploit is provided.\n\n##In scope for extended assets:\n* Network scanning\n* Passive scanning\n* DNS scanning\n\n##Out of scope for extended assets is the following:\n* Active vulnerability finding (ie. create fake accounts, requests that could change the inner state of service, etc.)\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Any activity that could lead to the disruption of our service (DoS or DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Azure Portal\n\n##Main test site:\n* dbc-a1ba5468-749b.staging.cloud.databricks.com\n\n##Extended assets list:\n* connect.databricks.com\n* docs-admin.databricks.com\n* docs-user.databricks.com\n* e.databricks.com\n* go.databricks.com\n* go.dev.databricks.com\n* homebrew-tap.dev.databricks.com\n* ideas.staging.databricks.com\n* info.databricks.com\n* it.corp.databricks.com\n* jamf-cdn.corp.databricks.com\n* ok.databricks.com\n* pages.databricks.com\n* partnermarketing.databricks.com\n* signup.cloud.mrkt.databricks.com\n* signup.dev.mrkt.databricks.com\n* ssh.databricks.com\n* ssh.spark-summit.org\n* staging.spark-summit.org\n* tools.sec-sf.databricks.com\n* training.databricks.com\n* uberlyft-ns.dev.databricks.com\n* waf-test.corp.databricks.com\n* academy.databricks.com\n* accounts.cloud.databricks.com\n* community.cloud.databricks.com\n* databricks-prod-cloudfront.cloud.databricks.com\n* delta.io\n* demo.cloud.databricks.com\n* docs.cloud.databricks.com\n* docs.databricks.com\n* docs.delta.io\n* files.training.databricks.com\n* ftp.databricks.com\n* go.corp.databricks.com\n* gw1-ap.corp.databricks.com\n* gw1-eu.corp.databricks.com\n* gw1-us.corp.databricks.com\n* gw2-us.corp.databricks.com\n* help.corp.databricks.com\n* help.databricks.com\n* ideas.databricks.com\n* jamf.corp.databricks.com\n* kb.azuredatabricks.net\n* kb.databricks.com\n* maintenance.databricks.com\n* partners.databricks.com\n* pgg11o.hubspot.databricks.com\n* preferences.databricks.com\n* sophos.corp.databricks.com\n* spark-portal.org\n* spark-summit.com\n* spark-summit.org\n* sparkhub.databricks.com\n* support.databricks.com\n* unsubscribe.corp.databricks.com\n* vpn-us.corp.databricks.com\n* www.databricks.com\n* www.sparkhub.databricks.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T16:22:04.243Z"}]