Thoughtspot logo

Thoughtspot's Bug Bounty Program

Help us keep Thoughtspot secure

About This Program

Please read the following guidelines carefully before submitting a report

Welcome to the Thoughtspot Vulnerability Disclosure Program

Thoughtspot is committed to the safety and security of our products and services. We appreciate the valuable contributions of the security research community in helping us identify and address potential vulnerabilities. Through this Vulnerability Disclosure Program (VDP), we invite you to responsibly disclose any security issues you may discover within our in-scope assets.

Guidelines for Security Researchers

  • We welcome security research that is conducted in a responsible manner and aligns with the scope of this program.
  • Please do not engage in any activities that could disrupt our services or systems, such as Denial of Service (DoS) attacks.
  • Avoid any testing that could lead to data breaches, system compromise, or other malicious outcomes.
  • Do not attempt social engineering, phishing, or any other techniques that aim to deceive our employees or users.

Scope of the Program

We are interested in receiving reports for the following types of vulnerabilities:

  • Code execution vulnerabilities
  • Sensitive data exposure
  • Privilege escalation
  • Authentication and authorization flaws
  • Insecure configurations
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • And other common web application vulnerabilities

Rules of Engagement

  • Engage with our program in good faith and do not attempt to exploit any vulnerabilities you discover.
  • Provide us with a detailed report of your findings, including steps to reproduce the issue.
  • Allow us reasonable time to investigate and remediate the vulnerability before disclosing it publicly.
  • Do not publicly disclose any vulnerabilities you have discovered without our permission.

Safe Harbor

We will not pursue any legal action or initiate a law enforcement report against you as long as you comply with the rules of engagement. Your safety and the safety of our users is our top priority.

Disclosure Timeline

When you report a vulnerability, we will acknowledge receipt within 5 business days. We will then work to investigate the issue and provide an initial assessment within 14 business days. If the vulnerability is confirmed, we will work to remediate it as quickly as possible and coordinate the public disclosure timeline with you.

Recognition and Rewards

We appreciate the time and effort you invest in helping us improve the security of our products and services. While we do not offer a formal bug bounty program at this time, we will provide public recognition for your contributions and may offer other forms of appreciation.

Contact

For questions about this policy or to submit a report:

Our Brands & Subsidiaries

Our security program covers the following companies and brands

Mode Analytics

mode.com

In Scope

The following assets are eligible for testing

*.thoughtspot.com
https://thoughtspot.com
https://mode.com
*.mode.com

Out of Scope

Please do not test these assets

Third-party services and SaaS tools
Corporate blog or marketing sites (if separate domain)
Test/staging environments (*.test.*, *.staging.*)
Physical security testing
Social engineering
Denial of Service attacks
Spam/automated scanners

Contact

For questions about this program, contact us at: [email protected]

Ready to Submit a Report?

Submit Vulnerability Report