Bug Bounty Program Terms
Please note that your participation in Exirio’s Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (the “Program Terms”). By submitting an Entry to Exirio (via email to [email protected]) you acknowledge that you have read and agreed to these Program Terms.
We run a Bug Bounty Program to incentivize white-hat hackers to continuously test our security. Should you encounter an exploitable vulnerability or security flaw or in our systems, contact us to submit an Entry with a detailed description of the potential impact of the vulnerability, the steps required to reproduce it, and, where available, a video PoC. Do not modify any files or data, including permissions, and do not intentionally view and/or access any data beyond what is necessary to prove the vulnerability.
Your eligibility for a reward is based on the rules described in the Program Terms, and it remains entirely at Exirio’s discretion.
By presenting an Entry, You agree that you may not publicly disclose your findings to any third parties in any way without Exirio’s prior written approval.
Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
Common “Non-qualifying” Entry Types
Some Entry types do not qualify for a reward because they have low security impact and do not trigger a code change. This section contains a non-exhaustive list of issues that are often ineligible, unless a chained attack with higher impact can be demonstrated.
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTP-Only cookie flags
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Username enumeration via Login Page error message
- Username enumeration via Forgot Password error message
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers, specifically (https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)
- Any physical attacks against Exirio data centers
- Man-in-the-Middle attacks
- Vulnerabilities involving stolen credentials or physical access to a device
- Social engineering attacks, including those targeting or impersonating internal employees by any means
- Vulnerabilities for which there are existing, documented controls
- Host header injections without a specific, demonstrable impact
- Denial of service (DoS) attacks using automated tools
- Self-XSS, which includes any payload entered by the victim
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
- Login/logout CSRF
- Infrastructure vulnerabilities, including:
- Issues related to SSL certificates
- DNS configuration issues
- Server configuration issues (e.g. open ports, TLS versions, etc.)
- Vulnerabilities only affecting users of outdated/unpatched browsers and platforms
- Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
- Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
- Any XSS that requires Flash
- Phishing / Spam (including issues related to SPF/DKIM/DMARC)
- Vulnerabilities found in third party services
- EXIF data not stripped on images
You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a vulnerability; (ii) the vulnerability is determined to by a valid security issue by Exirio; and (iii) you have complied with all Program Terms.
Exirio retains the right to determine if the bug submitted to the Bug Bounty Program is eligible.
Bounty Payments, if any, will be determined by Exirio, in Exirio’s sole discretion.
In no event shall Exirio be obligated to pay you a bounty for any vulnerability.
All Bounty Payments shall be considered gratuitous, and You have full responsibility for any tax implications related to Bounty Payments you receive, depending on the laws of your jurisdiction of residence or citizenship.
Ownership of Entries
As a condition of participation in Exirio’s Bug Bounty Program, you hereby grant Exirio, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Entry, as well as any materials submitted to Exirio in connection therewith, for any purpose.
Any information you receive or collect about Exirio or any Exirio user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Entry and information you obtain when researching the Exirio’s platforms, without Exirio’s prior written consent.
In addition to any indemnification obligations you may have under these agreements, you agree to defend, indemnify and hold Exirio, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Exirio, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Entries, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.