If you wish to report any suspected vulnerability, please privately share full details of the suspected vulnerability by sending an email to security@domo.com. By including all relevant information in your report, you will enable the Domo security team to validate and reproduce the issue and resolve it in a timely manner.

Please do:

  • Privately share the potential security vulnerability with Domo before disclosing to third parties or publicly;
  • Provide full step by step details on the reported security vulnerability and the details of the technology involved so that it can be reproduced and validated by Domo to apply the fix;
  • Wait for confirmation from the Domo security team that the reported security vulnerability has been remediated. Since some vulnerabilities take longer than others to resolve, it is important to have an open line of communication and to establish expectations on the timing of remediation;
  • Report all vulnerabilities that fall within OWASP Top 10 vulnerability categories;
  • Report all other vulnerabilities with demonstrated impact to Domo or Domo customer security, including any disclosure of sensitive data.

Please do not:

  • Do or fail to do anything that may cause potential or actual harm to Domo or Domo customers, systems, users or applications;
  • Exploit a security issue you discover;
  • Access or attempt to access any sensitive data;
  • Attempt to demonstrate additional compromise of sensitive data or probe for additional issues;
  • Execute or attempt to execute any DoS, Spam, Brute Force, etc. types of attack or any other testing that may impact the confidentiality, integrity or availability of Domo systems or data;
  • Conduct any kind of physical, electronic or social engineering types of attack on Domo personnel, contractors, property or data centers;
  • Report any low impact vulnerabilities such as issues related to password/credential strength, length, lockouts, or lack of brute-force/rate limiting protections, low-impact CSRF (add-delete from cart, nonsevere preference options, etc.), low-impact information disclosures (such as software version disclosures), missing cookie flags, use of a known-vulnerable library which leads to a low-impact vulnerability, etc.;
  • Violate any law or breach any agreements in order to discover security vulnerabilities.