ThoughtSpot Responsible Disclosure Program

1. Overview

ThoughtSpot is committed to the security of our products and the protection of our customers' data. We value the work of security researchers who help us identify vulnerabilities before malicious actors can exploit them. This program establishes the framework for reporting security vulnerabilities and outlines expectations for both researchers and ThoughtSpot throughout that process.

We request that the security community give us an opportunity to fix the reported vulnerabilities before releasing information with/to any third parties. ThoughtSpot will not pursue legal action against those researchers that follow the below guidelines and responsibly disclose any security vulnerabilities directly to ThoughtSpot. ThoughtSpot reserves all legal rights in the event of noncompliance with these program guidelines.

2. Scope

2.1 In-Scope Assets

2.2 Out-of-Scope Assets

• Third-party integrations and connectors, including Snowflake, BigQuery, Salesforce, etc. Report directly to those vendors.
• Customer-controlled data warehouses, cloud accounts, or infrastructure
• Corporate IT systems, including employee email, HR systems, and internal non-customer-facing tools
• ThoughtSpot marketing website static pages and blog, unless a significant vulnerability exists
• Beta/preview features not generally available, unless specifically approved in writing
• Social engineering attacks targeting ThoughtSpot employees
• Physical security of ThoughtSpot offices or data centers

2.3 In-Scope Vulnerability Types

• Remote Code Execution (RCE)
• SQL Injection / NoSQL Injection
• Authentication bypass or authorization flaws
• Server-Side Request Forgery (SSRF)
• Privilege escalation, including tenant-to-tenant and user-to-admin
• Sensitive data exposure, including customer data, credentials, and PII
• Cross-Site Scripting (XSS) with meaningful demonstrated impact
• Cross-Site Request Forgery (CSRF) with meaningful demonstrated impact
• Insecure Direct Object Reference (IDOR)
• Cryptographic weaknesses affecting data confidentiality

2.4 Out-of-Scope Vulnerability Types

• Vulnerabilities requiring physical access to a user's device
• Self-XSS, where the victim must be the attacker
• Tab-nabbing or clickjacking without demonstrated real-world impact
• Missing security headers without demonstrable exploitability, such as missing HSTS or X-Frame-Options alone
• SPF/DKIM/DMARC issues without demonstrated email spoofing impact
• Rate limiting issues unrelated to authentication or sensitive operations
• Username/email enumeration via timing differences with no practical exploitation path
• Vulnerabilities in outdated browsers more than 2 major versions behind current
• SSL/TLS configuration issues with no direct exploitability
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
• Automated scanner output without manual validation and confirmed exploitability
• Publicly known vulnerabilities already documented in ThoughtSpot's CVE disclosures
• Vulnerabilities solely present in customer-controlled configurations
• Vulnerabilities that are mitigated by security configurations available but not enabled on trial or test environments, such as security flags disabled by default on free trial clusters

3. Rules of Engagement

To qualify for recognition or rewards, researchers must adhere to the following:

1. Report promptly. Submit your finding as soon as it is validated. Do not sit on vulnerabilities.
2. Do not exploit beyond proof of concept. Access only what is strictly necessary to confirm the vulnerability exists. Do not exfiltrate, modify, or delete data.
3. Stop immediately if you encounter customer data. If you access data belonging to ThoughtSpot customers, stop research immediately, do not copy or retain any of it, and include the access path in your report.
4. Use only accounts you control. Do not target accounts belonging to other customers or ThoughtSpot employees without explicit written permission.
5. Avoid service disruption. No automated flooding, DoS attempts, or actions that could degrade availability for other users.
6. No social engineering. Do not trick or deceive ThoughtSpot employees, customers, or partners.
7. No physical testing. Do not attempt to access ThoughtSpot offices, hardware, or physical infrastructure.
8. Keep findings confidential. Do not disclose vulnerability details publicly or to third parties without prior written consent from ThoughtSpot.
9. No threats or extortion. Threatening to publish vulnerabilities unless paid is not responsible disclosure and will be treated accordingly.
10. When in doubt, ask first. If you are unsure whether a specific action is within scope, email responsible.disclosure@thoughtspot.com before proceeding.

4. Safe Harbor

ThoughtSpot will not initiate or support legal action against researchers for security research conducted in accordance with this program. Specifically, ThoughtSpot:

• Considers research conducted under this program to be authorized access under applicable computer crime laws, including the Computer Fraud and Abuse Act (CFAA) and equivalent laws in other jurisdictions.
• Waives restrictions in ThoughtSpot's Terms of Service and Acceptable Use Policy that would otherwise prohibit good-faith security research activities under this program.
• Will not pursue civil or criminal legal action for accidental, good-faith violations of this program, such as briefly viewing customer data while confirming an IDOR before immediately stopping.
• Will publicly advocate on your behalf and make this authorization known if a third party initiates legal action against you for research conducted in good faith under this program.

Important: This safe harbor applies only to ThoughtSpot's own legal claims. ThoughtSpot cannot and does not authorize testing of third-party systems and cannot bind customers, cloud providers, or other third parties. If you are uncertain whether a specific action is permitted, contact us before proceeding.

5. How to Submit a Report

Submission portal: https://bugspot.thoughtspot.com/

Please include the following in your report:

Reports missing reproduction steps or impact descriptions will be deprioritized.

6. Public Disclosure

ThoughtSpot does not permit any disclosure of findings without prior written consent from ThoughtSpot. Researchers must keep all vulnerability details, including the existence of a reported vulnerability, confidential at all times.

7. Duplicate Policy

• The first reporter of a valid, unique issue receives full credit.
• If your report materially adds to an existing finding, such as a new attack vector or higher-severity PoC, it may be eligible for partial credit at our discretion.
• Simultaneous discovery by multiple researchers will be resolved by submission timestamp in the portal.
• We will tell you a duplicate exists but will not disclose the prior reporter's identity or submission details.

8. Recognition and Rewards

8.1 Hall of Fame

All valid reports meeting the criteria above are eligible for public recognition in ThoughtSpot's Security Acknowledgement page, with researcher consent. Attribution includes name or alias and vulnerability category.

8.2 Monetary Rewards

Rewards are not issued for: vulnerabilities already known to ThoughtSpot, out-of-scope findings, reports that violate the rules of engagement, or automated scanner output without manual validation.

* Severity of reported vulnerability will be calculated again using CVSS Score by considering security controls in place for the ThoughtSpot environment.

9. Legal

Any unauthorized activity outside the terms of this program may be subject to legal action pursuant to applicable laws and company policies. If, at any time, you have concerns or are uncertain whether your security research is consistent with the terms of this program, stop testing and contact responsible.disclosure@thoughtspot.com. Email communication between you and ThoughtSpot, including without limitation emails you send to ThoughtSpot reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to ThoughtSpot shall be considered non-proprietary. ThoughtSpot, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. By submitting any information, you grant ThoughtSpot a perpetual, royalty-free, and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer, and sell such information. This program does not grant researchers any right, title, or interest in ThoughtSpot intellectual property.

This program is governed by the laws of the State of California. ThoughtSpot reserves the right to update this program at any time; material changes will be published with an updated effective date. This program applies globally. Researchers are responsible for ensuring their testing activities comply with applicable laws in their jurisdiction.

Back to top ↑