Why Grafana Will Pay Good Money for Bounty Hunters
Grafana is beginning to lose its innocence as it moves past its fledging startup stage with its widely popular Grafana panel and open source tools to assume the problems of a multibillion-dollar tech company. Chief among its emerging concerns: security, of course, as attackers and data thieves are finding an increasingly attractive target among its 10-million and growing user base. Grafana’s growing investments in security offer paramount evidence of its new status as a larger player, as well as its rush to find and patch vulnerabilities before real damage can occur. A case in point is how its 9.1.2 and Image Renderer 3.6.1 releases include a high-severity security fix for Grafana instances that are using the Grafana Image Renderer plugin (CVE-2022-31176).
This major security fix also coincides with Grafana’s decision to ramp up its investments in security engineers and to offer a sizeable sum of money for those who successfully find major security flaws by paying bug bounty hunters directly during the coming months (the size of the bounty rewards has yet to be disclosed).
“We are experiencing normal growing pains as an organization,” Thomas Owen, chief information security officer for Grafana Labs told The New Stack. “But as I see this, I’m actually being asked to make many fewer trade-offs,” since Grafana is making more than merely adequate investments in security.
Indeed, Owen said he was pleasantly surprised that Grafana is more than just on board to provide the necessary support for Owen’s program as a security officer. “We’re releasing a bounty program that is turned towards the high end of payouts,” Owen said. “We’re doing something a bit unusual that we’re going to run it ourselves and won’t outsource it. We’re going to try and leverage the fact that we are such an incredible community-driven machine, and we are going to try and run a bug bounty along the same principles.”
Bug Fix Timeline
The idea is to find and fix vulnerabilities and publicize the updates as loudly as possible. What Grafana nor any company wants is to make headlines about a missed vulnerability that lead to major data attacks and exposures following undetected rampant exploits. For the high-severity security fix for Grafana instances for the Grafana Image Renderer plugin that was issued with the most recent Grafana release, an internal security researcher discovered on August 11.
Grafana says the Grafana installations and Image Renderer plugin should be upgraded among users using the Grafana Image Renderer plugin with HTTP remoting. Grafana communicated the following upgrade instructions:
Upgrade your Grafana instance.
Upgrade your Grafana Image Renderer with the Docker image grafana/grafana-image-renderer:3.6.1.
In the rendering section of Grafana configuration file, define a strong secret in renderer_token.
Configure the same secret for the Image Renderer either via an environment variable called AUTH_TOKEN or by adding auth_token config key in the [plugin.grafana-image-renderer] section of Grafana config.
Restart your Grafana instance.
Restart your Grafana Image Renderer Docker image.
If you can’t upgrade, as a workaround it is possible to disable HTTP remote rendering or stop using the Grafana Image Renderer plugin entirely.