By participating in this program, you agree to:
- Respect the Community Code of Conduct
- Respect the Intigriti Terms and Conditions
- Respect the scope of the program
- Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.
Violation of any of these rules may result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes means a permanent ban.
Use your own Accounts: Test vulnerabilities only against accounts that you own or accounts that you have written permission from the account holder to test against.
Do not pivot: Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
Respect the Users: If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to Yahoo and may not be retained. To ensure you are fully protected under the 'Safe Harbor', you may only use potentially-sensitive data to validate your finding, report it to us and to verify if the applied fix is effective.
Respect the Company: Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to Yahoo, its brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or Yahoo as a whole.
Follow the Scope: Abide by the program scope. Only reports submitted to this program and against assets in scope will be eligible for monetary award.
Get written permission before disclosure: Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Yahoo or our authorized Bug Bounty Platform employees), or otherwise share vulnerabilities with a third party, without Yahoo’s express written permission.
Yahoo reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).
Yahoo does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Yahoo users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Yahoo in order to extract and publicly disclose data belonging to Yahoo.
Yahoo employees (including former employees that separated from Yahoo within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Yahoo programs, whether hosted by Yahoo or any third party.
Yahoo will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.
You are expected, as always, to comply with all applicable laws and regulations.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this Policy.
Responsible Disclosure of Vulnerabilities
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.
Please review the program scope before submitting a report.
Web traffic to and from Yahoo properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic within our normal data and the malicious actors out in the world. Please do the following when participating in Yahoo bug bounty programs:
● Where possible, register accounts using your
<username>+email@example.com addresses. Some of our properties may require this to be eligible for a bounty.
● Provide your IP address(es) in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
● Limit your requests to 50 requests per second unless otherwise specified in the Scope. Exceeding this rate may result in your traffic becoming blocked.
● Include custom header(s) in all your traffic. Burp Suite, other proxies, and most popular bug hunting tools allow the easy, automatic addition of headers to all outbound requests. Include the header you set so we can identify it easily. This information may be required for the report to be eligible for a bounty.
|Verbose Tool Identifier
When testing for a bug, please also keep in mind:
● When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
touch /root/<your Intigriti username>
id, hostname, pwd (though, technically
touch also prove execution)
● Before potentially causing damage: Stop, report what you've found and request additional testing permission.
● Minimize the mayhem. Adhere to program rules at all times.
Crafting a Report
If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:
● Description of the vulnerability
● Steps to reproduce the reported vulnerability
● Proof of exploitability (e.g. screenshot, video)
● Perceived impact to another user or the organization
● Proposed CVSSv3.1 Vector & Score (without environmental and temporal modifiers)
● List of URLs and affected parameters
● Other vulnerable URLs, additional payloads, Proof-of-Concept code
● Browser, OS and/or app version used during testing
Note: Failure to adhere to these minimum requirements may result in no bounty.
All supporting evidence and other attachments must be stored only within the report you submit. Attach all evidence to the report through the Platform. You may NEVER host any files on external services (youtube, dropbox, s3 bucket, self-hosted, etc).
Hackers participating in the Yahoo Bug Bounty program may find bugs that require special handling and/or an immediate halt to testing. In these instances, the team will post a message to the primary report related to the identified issue or issue class stating that a Ceasefire is now in effect. A Ceasefire creates a time-bound fix window that allows our engineers to analyze, understand, and address the issue at scale. During this period, Hackers may not continue working on or with the bugs that prompted the halt of testing.
Each Ceasefire will include a blackout period during which additional reports will not be accepted by the program. This period is typically 90 days, depending on the severity of the finding.
Achieving a Ceasefire Condition will result in a bonus to your report. Yahoo does not publish a list of past or current Ceasefire Conditions.
Wherever possible, vulnerabilities should be reported under the correct, in-scope “Asset”. Please see our detailed scope list at the bottom of this page for a full list of assets that are in scope of this program. This list is subject to change without notice.
If you’ve found a vulnerability that affects a Yahoo asset which is not listed as in-scope, please report it to this program; your finding may be eligible for a bounty.
You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Yahoo. Rewards may range from Reputation Points and/or swag to monetary rewards up to $15,000 USD. Providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Yahoo may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty may be warranted for reports that require specific browser configurations. Reports in third party software may not be eligible for bounties; Products or sites developed on behalf of Yahoo may qualify for a 50% bounty. (See scope section for more details)
Bounties and bonuses are granted entirely at the discretion of Yahoo.