Security
The Weights & Biases platform offers robust security features to ensure your data is protected and secured. Your data is protected with preconfigured security features for authentication, authorization, encryption, and more.
Additionally, Weights & Biases maintains industry-leading security controls within the organization to provide Weights & Biases personnel proper training, access, and additional security protections.
Access provisioning
Customers maintain and manage their user base ensuring that only authorized users are able to access the customer’s program and account. Weights & Biases offers Role-Based Access Controls (RBAC) to provide that level of granularity that is often needed for proper access management.
Security testing
Part of securing data is making sure that vulnerabilities are identified and remediated in a timely manner. Weights & Biases uses a combination of regular vulnerability testing as well as penetration testing to accomplish this goal.
Auditing and compliance
Weights & Biases maintains a mature auditing and compliance program through an internal auditing program as well as utilizing a third-party auditor.
Weights & Biases is SOC2 and HIPAA compliant.
Encryption
Weights & Biases data encryption offers robust features to protect your data while in-transit using TLS 1.2+ and at-rest using AES 256, ensuring your data is encrypted throughout its lifecycle.
Authentication and authorization
Keeping customer data secure and protected is ingrained into the Weights & Biases DNA. Proper access controls are part of this mission. Weights & Biases provides a couple of avenues for authentication and authorization; one of which being Single Sign On (SSO) using OIDC, LDAP, or SAML.
Bug bounty program overview
Welcome to the Weights & Biases Bug Bounty Program! We’re thrilled to invite skilled cybersecurity enthusiasts and ethical hackers to join us in fortifying the security of our systems. Our program offers an opportunity for you to leverage your expertise and creativity in identifying vulnerabilities within our digital infrastructure. By participating, you’ll not only contribute to the enhancement of our security posture but also play a crucial role in safeguarding the privacy and integrity of our users’ data. Join us in our mission to create a safer digital environment, and let’s work together to squash bugs and strengthen our defenses.
Scope
Only findings for domains under this Scope section qualify for an award. Additionally, any findings that have been previously reported and tracked will not be eligible for an award.
https://qa.wandb.ai
https://api.qa.wandb.ai
All other subdomains are excluded from scope.
Scope exclusions
- Denial of Service (especially, self-DoS issues where only the person doing the action is denied service)
- Rate limiting bypass, except those that have a direct security impact
- Missing DKIM/DMARC/SPF DNS records on domains that do not send email
- Clickjacking on pages with no sensitive actions
- Open redirect, except those that have a direct security impact such as sending authentication tokens to an arbitrary domain
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
- Software version disclosure
- Broken link hijacking
Rules of engagement
We will only engage with and accept quality reports that include:
- Detailed description of issue with clear, reproducible steps
- Screenshots and/or videos demonstrating a proof-of-concept
- Impact of the vulnerability
- In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
- Use the User-Agent string: “bugbountyresearcher_<your_username>” while testing
- Create a dedicated account to do your testing and include the account email/username in your report
- Only perform testing against your own account
- Make a good faith effort to avoid privacy violations, data destruction, or service degradation
Non-disclosure
Individuals reporting vulnerabilities to Weights & Biases, must sign an NDA. The Weights & Biases Security team will provide you an NDA to sign.
Program policies
- DO NOT use automated vulnerability scanners/tools
- DO NOT exploit vulnerabilities beyond a proof-of-concept
- DO NOT perform Denial-of-Service or brute-force attacks
- DO NOT perform any attacks against our employees or our end users, including social engineering and phishing attacks
- DO NOT allow testing data to pass through 3rd party infrastructure during testing. Make sure that all traffic goes through domains only you have control over. Exposing vulnerability and sensitive data will result in complete forfeiture of any reward.
- If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as a violation of our Rules of Engagement.
Sanctioned countries or entities
Individuals participating in the program may not be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g. Cuba, Iran, North Korea, Syria, the Crimea Region, or any other jurisdiction or area designated by the United States Treasury’s Office of Foreign Assets Control).
Age restrictions
Researchers who would like to submit a vulnerability may not be less than 16 years of age – if you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.
Report a bug
Vulnerabilities can be reported to security@wandb.com.
- In your email to the Security team, include in the subject line: Bug Bounty Program Disclose: [vulnerability]
- Refer to the Rules of Engagement for additional details for reporting.
Tiers
Bounties are classified into the following tiers:
Tier 3: Low severity bugs ($50-$100)
- Self-XSS (XSS requiring interaction other than browsing to exploit)
- Server misconfiguration or provisioning errors
- And other low-severity issues as determined by the Weights & Biases Security Team
Tier 2: Medium severity bugs ($100-$300)
- XSS on pages accessible only to members
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- And other medium-severity issues as determined by the Weights & Biases Security Team
Tier 1: High severity bugs ($300-$750)
- XSS on pages accessible without logging in
- Session hijacking
- Member data exfiltration
Tier 0: Critical severity bugs ($750-$1000)
- SQL Injection
- Remote Code Execution
- Privilege Escalation
- SSRF to an internal service
Request security info
You can request additional information about our SOC2 report, penetration testing, or additional documentation below. Please be explicit in the comment box about your request.
Subprocessors
If you’d like to be notified when changes are made to this subprocessors page, please fill out the form beneath the table.
Company | Location | Additional Details |
---|---|---|
AWS | United States or as chosen by the customer | Cloud Hosting Provider- IaaS |
Azure | United States or as chosen by the customer | Cloud Hosting Provider- IaaS |
GCP | United States or as chosen by the customer | Cloud Hosting Provider- IaaS |
Clickhouse | United States | Data Hosting Provider for Weave |
Census | United States | Data ETL |
Datadog | United States or as chosen by the customer | Platform monitoring |
dbt Labs | United States | Data ETL |
FullStory | United States or as chosen by the customer | Session Recording |
Segment | United States | Analytics Platform |
Tableau | United States | Analytics Platform |