Vulnerability Disclosure Program

Introduction

Astronomer is committed to empowering data teams by securely handling mission-critical analytics, AI, and software. While our systems can become complex and vulnerable, transparency, collaboration, and community involvement remain at the core of our approach. To address these challenges, we are launching the Astronomer Vulnerability Disclosure Program, inviting the global security community to help identify and address potential vulnerabilities.

Through our partnership with Bugcrowd, we aim to streamline the submission process and encourage security researchers to report bugs, vulnerabilities, or flaws. By participating in this program, you contribute to strengthening our systems and safeguarding the sensitive data our customers manage. We value your findings and recognize their critical role in maintaining robust security.

Confidentiality

By engaging in security testing of Astronomer products or participating in this program and/or submitting a security vulnerability to Astronomer, you agree to comply with the following confidentiality provisions.

Confidential Information” means (i) all Astronomer information obtained during security testing or via your participation in the Astronomer Vulnerability Disclosure Program, (ii) all information disclosed to you in connection with the Bugcrowd Bounty Brief, and (iii) all submissions by you. You are not granted any rights in Astronomer’s Confidential Information or intellectual property by engaging in any testing or participating in Astronomer’s Vulnerability Disclosure Program.

Confidential Information does not include information that (i) is or becomes publicly available through no fault of your own and without breaching these provisions, (ii) is independently developed without use of or reference to Confidential Information, or (iii) is or becomes known by you from a source not bound by confidentiality restrictions.

Before engaging in any testing or submitting findings, you agree (i) to hold Confidential Information in strict confidence, (ii) to protect such Confidential Information from unauthorized use or disclosure, (iii) to not disclose such Confidential Information to any third party including the public, (iv) to not use such Confidential Information for any purpose outside the scope of participating in Astronomer’s Vulnerability Disclosure Program, and (v) to notify Astronomer immediately upon discovery of any loss or unauthorized disclosure of Confidential Information. Notwithstanding the foregoing, you may disclose Astronomer’s Confidential Information to Astronomer or to Bugcrowd via the Bugcrowd partner portal.

Vulnerability program scope and rules

In-scope

• Authentication/session management related issues
• Remote code execution outside of DAGs and the Astro CLI
• Access to underlying containers
• Compromise of Astronomer user accounts
• Compromise of Astronomer Organizations (somehow infiltrating another organization)
• Cross Deployment namespace access
• Spawning of containers outside of a DAG

Out-of-scope

The following are considered ‘out of scope’ for our responsible disclosure program.

• Execution of malicious Python code in a Directed Acyclic Graph (DAG)
• Unauthorized denial of service (DoS) attacks, including brute force, password spraying, and API brute-forcing
• Attacks that disrupt services, degrade user experience, or damage data outside of your own instance
• Attacks using stolen, leaked, or shared credentials
• Unauthorized access to data not necessary to demonstrate a vulnerability
• Phishing, social engineering, or physical attacks against Astronomer employees or offices
• Targeting systems not listed as 'in-scope' or unrelated systems like email servers and spam protocols (DMARC, DKIM)
• Vulnerabilities in systems using end-of-life (EOL) or end-of-support (EOS) software
• Exploiting insecure SSL/TLS or HTTP headers without providing proof of concept.
• Attacks against open-source repositories or upstream packages unless reproducible on Astro.
• Disclosure of known public files and other information disclosures that aren’t a material risk (e.g. robots.txt)
• Domains CNAME’d to third-party service providers
• API key permissions, scopes, and privileges, except where API authorization, authentication, and session handling is vulnerable and can be exploited to access other instances
• Cookie transfers between browsers
• Account management actions that do not impact instances you don’t own
• Purposely misconfiguring third-party data sources for attacks beyond your own instance
• Bypassing IP or geo-blocking by using a VPN

Safe Harbor

For specifics on safe harbor, please refer to the Astronomer Vulnerability Disclosure Policy located at https://trust.astronomer.io/.

Vulnerability Rewards

Astronomer retains sole discretion in determining which submissions are eligible for bounty rewards. To qualify for a reward, your submission must meet the following criteria:

Valid Security Impact: The vulnerability must have a demonstrable security impact on Astronomer’s systems or users. The issue should be exploitable and pose a genuine risk.

In-Scope Vulnerability: The reported issue must fall within the program’s defined in-scope vulnerabilities. Submissions related to out-of-scope vulnerabilities, as defined in the “Vulnerability Program Scope and Rules” section, are not eligible for rewards.

Original Finding: The submission must be an original finding, not previously reported or known to Astronomer. Duplicate submissions are not eligible for rewards.

Detailed Report: The submission must include a detailed description of the vulnerability, including steps to reproduce the issue, the potential impact, and suggested mitigations if applicable. Reports lacking sufficient detail may not qualify for a reward.

Good Faith Testing: The testing and reporting must be conducted in good faith, in accordance with this policy, and without causing disruption to Astronomer’s services or violating any laws.

No Public Disclosure: The vulnerability must not have been disclosed publicly or to any third party before Astronomer has had the opportunity to address the issue. Publicly disclosed vulnerabilities are ineligible for rewards.

Follow Reporting Guidelines: The vulnerability must be reported through the appropriate channels, such as the Bugcrowd partner portal, using the provided submission form.

Respectful and Professional Conduct: Participants must engage with the Astronomer security team respectfully and professionally throughout the process.

Rewards are granted at Astronomer’s sole discretion based on the severity, impact, and quality of the report. Astronomer reserves the right to modify or discontinue the reward program at any time.

Reporting a security vulnerability

Please use the following form to report security vulnerabilities to Astronomer through the Bugcrowd partner portal. Astronomer’s vulnerability scoring process is generally derived from the CVSS score.