By participating in this Program, you (the “Researcher”, herein referred to as “You”) agree to the following Rules of Engagement:

• You agree to follow the Intigriti Community Code of Conduct and all applicable Intigriti Terms and Conditions.
• You meet the Security Researcher and Submission Eligibility Criteria listed below for any NVIDIA Bug Bounty Program you choose to participate in and agree to the NVIDIA Program Conditions outlined herein.
• You agree to adhere to the NVIDIA Bug Bounty Program Policy as defined within this program.
• You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform.
• Your Submission must be for an Asset (herein referred to as “product” and/or “technology”) that is identified as in scope of the NVIDIA Program(s).
• You agree to provide detailed but to-the-point reproduction steps including a clear attack scenario (Quality over quantity).
• You agree that in the course of your research under this Program, you will not attempt to access anyone else’s data or personal information, including by exploiting a Vulnerability. See Sensitive and Personal Information section below for additional details.
• You agree to conduct your research within the bounds of Ethical Hacking.
• You acknowledge that Bounty awards under this Program, including the timing, bounty amount, and form of payments, are at NVIDIA’s sole discretion and will be made by NVIDIA on a case-by-case basis. See Bounty Award Payment section for additional details.
• You agree to maintain confidentiality regarding any vulnerability details and communications with NVIDIA. Public disclosure or sharing of findings (including on social media, video platforms, or blogs) is not allowed without prior written permission from NVIDIA.
• You agree to adhere to any embargoes and refrain from discussing or disclosing any Vulnerability information without NVIDIA’s prior written consent (including POC’s on YouTube, Vimeo, etc.).
• You agree to practice coordinated disclosure in all of your security research conducted under the Program (this includes posting/sharing of information on any social media venue).
• You agree to give NVIDIA a perpetual license to freely use any information and/or communications ("feedback") you provide through the reporting process in the Program.

Researcher Eligibility

To participate and qualify for potential rewards:

• You are submitting findings on your own behalf, or, if representing an organization, you have secured written authorization from your employer.
• You are at least 18 years old, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to submitting a Submission.
• You are not located in, or otherwise subject to, restrictions from countries under United States sanctions or embargoes.
• You are not identified on any U.S. government lists of sanctioned or restricted individuals.
• Within 6 months prior to submitting a report, you were:
  • not an employee of NVIDIA, or an NVIDIA subsidiary.
  • not under contract to NVIDIA, or an NVIDIA subsidiary.
  • neither a family nor household member of any individual who currently meets or met the criteria listed in the two bullet points directly above.
• You are willing to collaborate with NVIDIA in validating mitigations and coordinating the public release or disclosure of vulnerabilities where applicable.
• You did not and will not access any personal information that is not your own, including by exploiting the Vulnerability.
• You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. NVIDIA does not consider testing that is done in compliance with the terms and conditions of this Bug Bounty Program as unauthorized.
• There may be additional restrictions on your eligibility to participate in the Bug Bounty Program depending upon your local laws and it is your responsibility to comply with any such applicable local laws.

Testing Guidelines

Researchers are expected to:

• Avoid any activity that could cause degradation of services or impact to NVIDIA’s users or infrastructure.
• Use responsible automation practices. Large-scale automated testing, high-frequency scanning, or denial-of-service testing is not permitted.
• Limit testing to the approved scope and systems explicitly listed in the Program Scope.
• Immediately cease testing and report any vulnerability if unintended access to sensitive information occurs.

Data Handling

Accessing, copying, or sharing user data, personal information, proprietary information, or confidential company data beyond what is necessary for vulnerability validation is strictly prohibited. If incidental data access occurs, it must be reported immediately and no further exploration should be conducted.

Submission Content Requirements

Your Submission must include the information listed below (if any piece of information below is missing, your Submission may be rejected):

• The name(s) of the NVIDIA product and/or technology and the respective version information.
• The NVIDIA product and/or technology must be identified and must be an in-scope product at the time of your Submission.
• The Vulnerability you identify must be original, one that has not been previously reported to NVIDIA, nor publicly disclosed at the time of your submission.
• Submission(s) must demonstrate that the potential Vulnerability has been proven against the most recent publicly available version of the product or technology.
• Detailed description of the potential security Vulnerability.
• Your Submission should explain how exploitation of the potential Vulnerability can negatively impact confidentiality, integrity, and/or availability of the affected product(s).
• Proof-of-concept that details how to reproduce the potential security Vulnerability.
• Provide clear instructions, that if followed by an NVIDIA product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted NVIDIA product. The more details provided in the initial Submission, the easier it will be for NVIDIA to evaluate your information. If a potential security Vulnerability is not reproducible, your Submission may be ineligible for a Bounty award.

Recommended Format for Submission Content:

• Overview: summary of the reported issues; statement of potential impact; name and specific version of the NVIDIA product(s)/technology impacted.
• Details: detailed explanation of the reported issue; how it can be exploited; how exploiting it may negatively impact confidentiality, availability, and/or integrity of the affected products; likelihood of a successful exploit.
• Proof-of-concept (POC): instructions that, if followed by NVIDIA product engineering team, clearly demonstrate successful exploitation of the reported issue on an impacted NVIDIA product; information on how any POC code was developed and compiled; code required to execute the POC; description of the development environment and operation system revisions; compiler name, version, options used to compile.
• Scoring: your proposed CVSS score, CVSS vector, and justifications for the selections; identify the Common Weakness Enumeration (CWE).

Sensitive and Personal Information

Never attempt to access anyone else's data or personal information, including by exploiting a Vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

• Stop your testing immediately and cease any activity that involves the data or personal information, or the Vulnerability.
• Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
• Alert NVIDIA immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any Submission from bounty award eligibility.

If you violate the Rules of Engagement, the following may occur:

• Your Submission may be deemed ineligible.
• Denial of any or all potential bounty awards.
• Temporary or permanent revocation of Security Researcher eligibility.
• Removal from current engagements and/or prohibition from future engagement eligibility.

Ownership and Licensing

By submitting a vulnerability report, researchers grant NVIDIA a perpetual, royalty-free license to use, modify, and distribute the report contents for the purpose of improving the security of its products and services.

Acknowledgement

Under the Program, NVIDIA agrees to provide named acknowledgement on an NVIDIA disclosure to the best of its ability. For example, NVIDIA will only use the information provided by you in a Submission. Acknowledgements will include your bug bounty platform username only, unless you request otherwise in your Submission. If multiple collaborators should be acknowledged, ensure all users are included in the Submission. You may request to remain anonymous at any time prior to publication of a respective NVIDIA disclosure. NVIDIA will not edit the acknowledged name unless it is proven to be inaccurate. Additional limits may apply.

Our Promise to You

We are happy to respond to any questions that occur during your testing. Please use the feedback button in the top right corner and we will make sure to get back to you shortly.

Welcome to NVIDIA's Vulnerability Disclosure Program (VDP)

We are delighted to have you as part of our security research community, partnering with us to safeguard NVIDIA’s products and services. At NVIDIA, we continually push the boundaries of technology and innovation, and we recognize that robust security is essential to maintain the trust of our users and partners. We truly appreciate your expertise and contributions in helping to keep our ecosystem secure.

This program applies to all NVIDIA products and services. Whether you are exploring our GPUs, software, cloud services, or AI platforms, if you discover a potential vulnerability, we want to hear from you. We are committed to responding swiftly and professionally to your reports. Our security team will work closely with you to analyze and address any issues. We strive to ensure any necessary fixes are implemented promptly across our ecosystem.

We strongly support responsible disclosure and believe in a collaborative approach to security. This means we ask that you please give us the chance to resolve issues before any public disclosure. In return, we pledge transparency and recognition for your valuable findings. Working together in this way allows us to protect our customers effectively while continuing to drive innovation without compromise. Thank you once again for helping to make NVIDIA’s technology safer and for being a vital part of our security community.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

While this Vulnerability Disclosure Program covers all NVIDIA-owned products, services, and infrastructure, researchers must not test or target systems that are not owned, operated, or explicitly authorized by NVIDIA.

This includes:

• Any third-party vendors, partners, or service providers that may host NVIDIA-related content or services (e.g., SaaS platforms, fulfilment providers, or promotional sites not operated by NVIDIA).
• Domains, subdomains, or applications that use the term “NVIDIA” but are not officially listed as in-scope or verifiably under NVIDIA’s control.
• Community-driven or user-hosted content, such as open forums, mirror sites, or personal projects referencing NVIDIA technologies.
• Social media platforms, fan pages, or influencer websites that mention NVIDIA but are not managed by NVIDIA itself.
• Any system or product that processes personal data of others, unless that access is incidental and reported immediately without further interaction.

If you are unsure whether a target is owned by NVIDIA, please contact the program team via the feedback form, before proceeding. Engaging with third-party infrastructure without permission may result in disqualification from the program and legal consequences under applicable law.

Application

• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Mobile

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions

This program follows Intigriti's triage standards based on the proof of concept.

Where can we get credentials for the app?

We currently don’t offer any test credentials for this vulnerability disclosure program! Where possible, feel free to create a user account using your intigriti.me email alias.