FireBounty
52235 policies in database
Link to program      
2015-11-04
2019-08-03
Algolia logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Algolia

Algolia is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

DO NOT use automated scanning tools

Scope

  • Website related endpoints on www.algolia.com

  • API related endpoints on .algolia.net or .algolianet.com

Bounty

Minimum reward is $100 for security vulnerabilities. The reward depends on the vulnerability severity and will be paid via HackerOne only. Every researcher with accepted vulnerability will be mentioned on http://hackerone.com/algolia/thanks

Issues without security impact are not eligible for a bounty, yet still welcomed and will be treated like any other report.

Eligibility

  • You must be the first reporter of the vulnerability.

  • You follow https://hackerone.com/disclosure-guidelines

  • You do not access data of other users and solely use your created accounts.

  • You may not publicly disclose the vulnerability prior to our resolution.

  • You are not an individual on, or residing in any country on, any U.S. sanctions lists.

  • You provide a working proof of concept that exploits the security issue

Exclusion

  • Login/Logout CSRF

  • DDoS

  • Social engineering on customers or employees of Algolia

  • Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)

  • Miss of rate limits

  • Report from automated tools and scans

  • Vulnerabilities sending spam or unauthorised messages

  • Bugs in 3rd party software

  • X-Frame-Options related

  • Customer's sites

  • Relating to HSTS

  • DNSSEC

  • Missing security headers which do not lead directly to a vulnerability

  • Physical attack on the infrastructure

  • Theoretical attacks

  • Breaking of SSL/TLS trust

  • Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Password and account recovery policies, such as reset link expiration or password complexity

  • Vulnerabilities without solution on our side (HEIST, ...)

  • Outdated DNS record pointing to system which does not belong to Algolia

  • Any DNS record outdated for less than 48 hours

In Scope

Scope Type Scope Name
web_application

*.algolianet.com
web_application

*.algolia.net
web_application

www.algolia.com

This program leverage 3 scopes, in 1 scopes categories.

FireBounty © 2015-2024

Legal notices | Privacy policy