Atlan's Responsible Disclosure Program
Jan 15, 2026
Share this article
Security is fundamental to Atlan’s mission of building a trusted data and AI platform for regulated enterprises. We value the security research community and believe that responsible vulnerability disclosure strengthens the security of our products, services, and customers.
This Vulnerability Disclosure Policy (VDP) establishes guidelines for security researchers to report vulnerabilities they discover in Atlan’s systems. We are committed to working with researchers who act in good faith to help us maintain the highest security standards.
Program Scope
Permalink to “Program Scope”In-Scope Assets
Permalink to “In-Scope Assets”We welcome security testing on the following Atlan-owned assets:
Cloud Services
Permalink to “Cloud Services”*.atlan.com(excluding explicitly out-of-scope domains listed below)- Atlan’s main application and associated services that process customer data
- API endpoints and authentication systems
Open Source Repositories
Permalink to “Open Source Repositories”- https://github.com/atlanhq/application-sdk
- https://github.com/atlanhq/atlan-python
- https://github.com/atlanhq/agent-toolkit
Out-of-Scope Assets
Permalink to “Out-of-Scope Assets”The following assets are NOT authorized for testing:
https://atlan.com(Marketing website)- Third-party services not owned or controlled by Atlan, including:
https://blog.atlan.comhttps://university.atlan.comhttps://humansofdata.atlan.comhttps://docs.atlan.com
Rules of Engagement
Permalink to “Rules of Engagement”To qualify for safe harbor protection and be eligible for recognition, you must:
Required Conduct
Permalink to “Required Conduct”Act in Good Faith
Permalink to “Act in Good Faith”- Make every effort to avoid privacy violations, data destruction, or service degradation
- Use exploits only to the extent necessary to confirm a vulnerability’s existence
- Immediately cease testing and report if you encounter customer data, PII, or sensitive information
- Perform testing only on in-scope systems
Test Responsibly
Permalink to “Test Responsibly”- Do not access, modify, or delete data belonging to others without explicit permission
- Limit automated scanning to prevent service degradation
- Do not leverage access to one customer’s data to access another customer’s data
Report Promptly
Permalink to “Report Promptly”- Submit vulnerability reports through our official channels within a reasonable timeframe
- Provide sufficient detail for our security team to reproduce and validate the issue
Maintain Confidentiality
Permalink to “Maintain Confidentiality”- Keep vulnerability details confidential between yourself and Atlan until we have resolved the issue and agreed on disclosure timing
- Follow our coordinated disclosure process
- Do not share, discuss, or publish vulnerability details until we provide explicit authorization
Communicate Through Official Channels
Permalink to “Communicate Through Official Channels”- Use only our designated submission platform for all vulnerability-related communications
- Do not use social media, public forums, or other channels for disclosure
Prohibited Activities
Permalink to “Prohibited Activities”The following activities are strictly prohibited and will result in immediate disqualification from the program:
- Network-level Denial of Service (DoS/DDoS) attacks
- Physical testing or social engineering of Atlan employees, contractors, or customers
- Testing on systems outside the defined scope
- Activities that harm the integrity, confidentiality, or availability of Atlan’s services or customer data
- Accessing, modifying, or exfiltrating customer data without explicit authorization
- Violations of applicable laws or third-party terms of service
Vulnerability Submission Guidelines
Permalink to “Vulnerability Submission Guidelines”How to Report
Permalink to “How to Report”Submit all vulnerability reports through our official submission form:
-
Submission Portal: Google Form Link
-
Alternative contact for emergencies or if the form is unavailable:
Email: [email protected]
For sensitive information: Please encrypt with our PGP key (provided at the end of this document)
Required Information
Permalink to “Required Information”To ensure efficient triage and resolution, please include:
Vulnerability Details
Permalink to “Vulnerability Details”- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass, RCE)
- Affected product, service, or repository
- Specific URL, endpoint, or code location
- Affected version or commit hash (for open source repositories)
Reproduction Steps
Permalink to “Reproduction Steps”- Clear, step-by-step instructions to reproduce the vulnerability
- Proof-of-concept code, scripts, or screenshots
- Sample payloads or test cases
- IP address and/or user agent used during testing
- Video demonstration (optional but highly valued)
Impact Assessment
Permalink to “Impact Assessment”- Potential impact on security, data confidentiality, integrity, or availability
- Attack complexity and prerequisites
- Your recommended CVSS score (if applicable)
Contact Information
Permalink to “Contact Information”- Your name or handle (for recognition)
- Email address for communication
- Twitter/LinkedIn profile (if you want public recognition)
Submission Best Practices
Permalink to “Submission Best Practices”- Be concise but complete – Include all necessary details without excessive narrative
- One vulnerability per report – Submit separate reports for distinct issues
- Quality over quantity – Focus on impactful, well-researched findings
- Provide proof-of-concept (POC) – Screenshots, videos under 100MB, or via password-protected Vimeo for larger files (avoid web-hosted POC links)
- Avoid bulk automated scanner output – Validate findings before submission
Out-of-Scope Vulnerabilities
Permalink to “Out-of-Scope Vulnerabilities”The following issues are not eligible for rewards and may be marked as invalid:
Explicitly Excluded
Permalink to “Explicitly Excluded”- Physical security issues (e.g., office access, tailgating)
- Social engineering attacks (e.g., phishing, vishing)
- Findings from automated scanners without demonstrated exploitability
- Generic “best practice” recommendations without security impact
- Functional bugs, UI/UX issues, or spelling mistakes
Common Low-Impact Issues
Permalink to “Common Low-Impact Issues”These issues rarely qualify unless you can demonstrate a chained attack with significant impact:
Authentication & Sessions
Permalink to “Authentication & Sessions”- Username enumeration via login or password reset error messages
- Missing account lockout or rate limiting on authentication endpoints
- Lack of CAPTCHA or weak CAPTCHA implementation
- Logout CSRF
Headers & Configuration
Permalink to “Headers & Configuration”- Missing HTTP security headers (e.g., X-Frame-Options, X-Content-Type-Options)
- Missing or incomplete security.txt file
- Missing email authentication records (SPF, DKIM, DMARC)
- Presence of autocomplete or password save functionality
- OPTIONS/TRACE HTTP methods enabled
SSL/TLS
Permalink to “SSL/TLS”- SSL/TLS attacks (BEAST, BREACH, renegotiation)
- Missing forward secrecy
- Weak cipher suites (unless supporting only outdated versions)
Content Security
Permalink to “Content Security”- Content Security Policy (CSP) best practices without bypass
- Open redirect without additional security impact
- Clickjacking on pages without sensitive actions
- CSRF on unauthenticated or low-impact actions
Information Disclosure
Permalink to “Information Disclosure”- Descriptive error messages (e.g., stack traces on public pages)
- HTTP 404 or non-200 status codes
- Banner or version disclosure on common services
- Disclosure of known public files (robots.txt, .well-known/)
- Internal IP address disclosure
- Path disclosure in error messages
Dependencies & Client-Side
Permalink to “Dependencies & Client-Side”- Vulnerable libraries without a demonstrated exploit path
- Issues affecting only outdated or unsupported browsers/platforms
- Self-XSS requiring significant user interaction
Atlan’s Commitments
Permalink to “Atlan’s Commitments”When you submit a vulnerability report in good faith and according to this policy, Atlan commits to:
Response Timeline
Permalink to “Response Timeline”Our Response Commitments:
- Triage and Validation: Within 7 business days
- Progress Updates: Regular updates until resolution
Fix Notification: We will notify you when we have:
- Validated the vulnerability
- Developed and tested a fix
- Deployed the fix to production
Recognition
Permalink to “Recognition”Hall of Fame
Permalink to “Hall of Fame”- We maintain a Security Researchers Hall of Fame
- Researchers who submit validated vulnerabilities will be recognized with their name and social profile (with permission)
- Recognition is added once the vulnerability is fixed and disclosed
Rewards & Recognition
Permalink to “Rewards & Recognition”Reward Eligibility
Permalink to “Reward Eligibility”While we deeply appreciate all security research, rewards are discretionary and based on:
- Severity and Impact: How significantly the vulnerability affects Atlan’s security posture
- Quality of Report: Clarity, completeness, and actionability of the submission
- Uniqueness: First reporter of the vulnerability receives the reward
- Scope Compliance: Vulnerability found in authorized scope
- Policy Adherence: Full compliance with all program guidelines
Reward Structure
Permalink to “Reward Structure”Rewards are issued as:
- Amazon gift cards
- Atlan swag and merchandise
- Public recognition on our Hall of Fame
Note: Reward amounts are determined case-by-case based on vulnerability severity, business impact, and other factors. Only one reward is issued per unique vulnerability.
Ineligible for Rewards
Permalink to “Ineligible for Rewards”- Duplicate reports (credit goes to first reporter)
- Out-of-scope findings
- Issues with no demonstrated security impact
- Reports about third-party services (should be reported to the third-party)
- Reports from individuals who do not comply with this policy
Hall of Fame
Permalink to “Hall of Fame”We thank the security researchers who help make Atlan safer.
2026
Permalink to “2026”- Trilok Dhaked (https://www.linkedin.com/in/trilokdhaked/)
PGP Encryption
Permalink to “PGP Encryption”For submitting sensitive vulnerability information, please use our PGP key:
Key Type: RSA
UserID: Atlan Security [email protected]
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGlnTAEBEACyzkhv0TKo+aeuOcCAX63kzVqG/XmYbG3mwXWmdxrJGXJCtGgb
yvELNm+iQJqsgPiCGJT0HHsI5W23YFupbbQBHXTpq4BdCKie7k24GRdann4oO1Rc
FGd0xAd0wTcfcrSzaA2ueM8PrM1zzTxIpsesvob5YSuWLqf55hc2PPezUs0nxAZK
21bOu81UL26IHn4fJ9ca6N3v46uflM+6/BwVWmbjbYDbg8ehsd6yELgJ//PJ1vBy
UAjVz7OwjmHrWiH+UgpKsEmbUHcKLqDUBIOSoZvW76EO39Ko9XTh8hPz+epgej4L
KvSh6957SMqcnQ91DSRSLQj6ShBd1mdg5PzFY/kOH7HiXsZanAKV5VK3B0x5I8vO
il4GCp9OMHvK9Yb7vj4QYvcd9YrEiJHe40eYsButrRdLbXuVuTfnpJ3W4SW1GAIx
BxmFvvvMC5zfW4QBldaXT0lG3A8JfeB6ulwr9nFmo3Z29mb/E/AQOlf6VoENdqRL
9NPzk7CrvLcC3tFGeqXdFc+KLRtqaWmI51J0vKEfKrNZ9BD2nMxl39CFM4xeAt42
R2MLqNjzyYYjzxFjKZZstUgKx/t8rPoBd47NgkvstbqrKX2PhlkyaJK7qymiE65U
fxM9slVXdC4HBlRKw1We7HvTvdD+O8YhvAxYvnlNhGfXdLx7WVkcRppPGwARAQAB
tCNBdGxhbiBTZWN1cml0eSA8c2VjdXJpdHlAYXRsYW4uY29tPokCVwQTAQgAQRYh
BIOqn+atE9miul8KH3g8tg68fshEBQJpZ0wBAhsDBQkFo5qABQsJCAcCAiICBhUK
CQgLAgQWAgMBAh4HAheAAAoJEHg8tg68fshEgOYQAJa5WWBj2hft2CylQv+Qy8Ab
aMPOWSNP6r30ozXDQf1/jxKgj0qaeo40S4Ub+vRbE2zzcbtJjaP7HNG/0n6ZrrmA
rTEtg0dM9/06okgkMPJK1W/EkH9tkd6pWXxnc723wH5yEkB7MIPBB/9VTObAuw+z
xQnYKwxOPag21wheW67XKMg0TMdA+X17Dn2bAQZdOJm7gEPqfXzMd1yFT/UnCCO8
rmmMCR3GQS4iC320B/06JMzg2diht0V6IkEyq2TvPPeMyvLYFl7eLQw/hgdedXHh
P4Zm+a3p2fO5Vl+wL6wJ+lcSJhMdxDNAwSn+bwXs5aO4J6c90viLswwPd2/+BMSt
iR1E+ka+aXkLDUOdfpBAU/wFc6BaOxE05v59+IQwH6We0QIZnXFxSvN8lybfnSOf
R/aX6Fp87/6dGRGC9hD2f1KD9t7QvMzQcBqNwF4a7k0l8VkeQ0u7qZ5evHUmW14m
iENncATHMobyCNVj73lfW0HKsC7WlMDQElqx8RiYZir8GekF8kdHcRF2QLH2zIhU
XsRjnLWquNXo9K9W62jHJu+Kjs/4xv2lQqTq3e8IXr/MZWeI7B5/fAlnvBssILpN
f3QTwRdk+y3OHzU6FP/CCGiziNoVdjzXOzqfWCItNapMJLufZnf55fwY/CmLDs3e
kYVwqobHrAgrZdrAHAYSuQINBGlnTAEBEADI9LLjcCb5zBjwY50h7kNjB/9y3QEf
e4UfX7Mr2XIZvgx+DbFapnZwDVQsgJbPflYRyx2OCuwgPKZ0KTl/RKkRNk5pC0Iq
qZ63NSvc27kTfAIXzF8y47dmE/Clav4JsVbNtYhrnJzkBrjquLrtEFQiwdkzb9P+
cOnwIX5fIf9fnOKfXEsanBbfRP/EXXdOqcdGP3t+vjS67KV2CfOjLDYw4bpvoICf
kstx84jFaZA4BcYjEVQgeDhsdukakNetc7m2cd0n6i5cQI9fO7+M/vcDS1ZC1x51
vOKySFho2D/M+LgSXXY+uj0X0TWFNIo5i+AmMzhXuO56wgzsIGjEda6C+yf+R+1w
mX1nazO1JgxKO0JRURUCysGeXcfDti38xAf9gD6RqgZ4+JhMGf44qGvq54mU+AxQ
9PnbkQOq3nUMkEzrQ2xwZMSLjN1/eIkqkLL1tb5FDS0MJtql8qv37EqQdqm9FmLc
i07FCwmYk/ewYiwzk+zhtTwoN/CVLD455S8HSL9Vdp+3JUji91r/yMSGzL68r6kM
9hEgu3Itw9tx63Ql68/DNIMuSwgT2hzFNrgF/mZd+QCavJ/8731uWZiwKI2SJ3AN
nnqrMIeeJ+RRm56nSKEz45oLigZ9ntswAQ0MDZC4Y+Zm1sU8CJROCm2LN9O2MLqH
HfE/iyGxnwqVlQARAQABiQI8BBgBCAAmFiEEg6qf5q0T2aK6XwofeDy2Drx+yEQF
AmlnTAECGwwFCQWjmoAACgkQeDy2Drx+yEQ3mhAAreN663Fp4dXUfyhmyxgii4xV
k5U8aBeOaUqRYJpElif7fSF6d8hlDtLL1eDWortuLHHxKj2xbv2XFuzssoIIRcsy
HFyXVCsoEg6uRQ8goFRmos1hgvzo0kPopnm2pmSO3QFrXlTN1ZM2N3d1iHl5Vk5B
JeTrr6OILVVzuLC52cVf8eLv3ThxsT2rJZatdlzJTiEOcGvwCbmp26UJ++VzGzHL
ME28IRGjCoYvvsAYTR9bLSZKT5dBDM7CZvS4EisRQaEGWE7NeNJItm1P1iVooi8P
lX9nPEMKthqVT4rt6YNuv0raZ2L5WYze2lSlyNQ2AmBLdzsqVtm2IAfjyG2kZiCn
JDgLw7bs9oWY1jOyfOHxYgGYnwFhOlUYP3Rz2pjVwAT1L0m3D4EIFhiFIOh05pA7
ULQ8I5ckhb7+A1HX8/KLOfPmwupP1lrC3xiUzmsMmrzXJQuWkzf788DRxeLLbiA/
zu61XQylOZRGkftotX07m5O87QAxATJvFgI4gH8CWv3KHOTCcElpIkW0f0G776+q
U7Ho5bRM0MsXRIxuDk79vn99aMRV1DMEOX0c0dZ3KNhV1i27hSjE4U6ofwrmgNOM
XsJ34vrzGucTZ1W9NuSgfL8rDN8cdrgwf1tHYPYKr6MjRsDuCkl4Prik5qXUv8Sk
cK+605F54iIiiYhetSQ=
=Ba5K
-----END PGP PUBLIC KEY BLOCK-----
Thank you for helping keep Atlan and our customers secure.
Share this article