Citrix Bug Bounty Program Policy

Citrix looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.

Your participation in the Bug Bounty Program (“Program”) is voluntary and subject to the terms and conditions set forth in this Citrix Bug Bounty Program Policy (the “Policy”), and any other agreement in which you have entered with Citrix in connection with the Program (collectively “Citrix Agreements”). By submitting a vulnerability to Citrix, you acknowledge that you have read and agreed to this Policy and the Citrix Agreements.

Citrix maintains the right to terminate this Bug Bounty Program (“Program”) at any time with or without notice. Citrix may amend this Policy at any time by posting a revised version on our HackerOne policy page. By continuing to participate in the Program after any such changes, you accept the Policy’s terms and conditions, as modified.

Citrix may, in its sole discretion, remove you from the Program, or disqualify you from receiving any benefit of the Program, if you breach this Policy or any of the Program’s terms, or if Citrix determines that your participation in the Program could adversely affect Citrix, our affiliates, subsidiaries, customers, employees or agents.

SLA

Citrix will try to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 1 business days

• Time to triage (from report submit) - 1 business days

• Time to initial bounty (from triage) - 5 business days

We will award a portion of the bounty upon triage of a valid report. The full bounty amount will be awarded upon remediation of the issue after its impact is fully assessed.

We will try to keep you informed about our progress throughout the process.

Creating your Citrix Accounts

• When registering for your test account, please use HackerOne's new email aliases - instructions here.

• Use “H1_” as a prefix in the “customer ID” field when registering for an account.

• This is very important to ensure our sales team does not treat your test account as a lead.

• When your trial expires, you can generate a second test account by appending "+1" to your HackerOne email alias.

For help getting your test account setup, see {F1032793}

If you have any questions regarding the scope or setup, please direct them to support@hackerone.com

Disclosure Policy

• Although this is a public program, you are not permitted to discuss or publish anything about any vulnerabilities (even resolved ones) without express written consent from Citrix.

• In the event of any inconsistency between this Policy and HackerOne’s disclosure guidelines, this Policy will govern and control.

• If you prefer not to be part of the Citrix Bug Bounty Program, you may submit issues via Citrix's coordinated disclosure program. However, please note that reports submitted via our coordinated disclosure program do not qualify for a bounty.

Program Rules

• Follow HackerOne's code of conduct.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• If you find a vulnerability which is out of scope for this Program, please report it, but note it may not be eligible for a bounty.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that the steps in the report can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• All subdomain takeovers will be treated as Low severity vulnerabilities unless higher impact beyond phishing is demonstrated with a proof-of-concept.

• Social engineering techniques (e.g., phishing, vishing, smishing) are prohibited.

• Leaking of credentials may not be eligible for bounty. They will be evaluated on a case-by-case basis depending on impact.

• You are prohibited from engaging in any privacy violations, trading stolen user credentials, destroying data, or interrupting or degrading our service (including without limitation, spam, DoS attacks or DDoS attacks).

• Only interact with accounts you own or with explicit permission of the account holder.

• You are prohibited from engaging in any activity that results in you, or any third party, accessing, acquiring, altering, copying, storing, saving, sharing, transferring, deleting, destroying, or otherwise processing user data. Contact us immediately if you do inadvertently encounter userdata, and immediately and securely purge any local information upon reporting the vulnerability to Citrix.

• To be eligible for the Bug Bounty Program, you must not:

• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, and Syria).

• Be in violation of any national, state, or local law or regulation.

• Be a current employee of Citrix or its affiliates or subsidiaries, or an employee who has left Citrix, or its affiliates or subsidiaries within the past 12 months.

• Be an immediate family member of a person employed by Citrix or its subsidiaries or affiliates; or

• Be less than 13 years of age. If you are between the ages of 13 - 17 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Subdomain takeovers on ShareFile domains

• Vulnerabilities found on subdomains of cloud.com which are not explicitly listed in scope

• Clickjacking and issues only exploitable through clickjacking

• Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk

• HTTP 404 codes/pages or other HTTP non-200 codes/pages

• Fingerprinting/banner disclosure on common/public services

• Disclosure of known public files or directories, e.g., robots.txt

• Scripting or other automation and brute forcing of intended functionality

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

• Lack of Secure and HTTPOnly cookie flags

• Content spoofing (text injection) or IDN homograph attacks or reflected file download attacks

• Tabnabbing

• Email configuration issues (SPF, DKIM, DMARC)

• Weak captcha or captcha bypass

• Forced login/logout CSRF

• Account lockout, login, or forgot password page brute force

• Password complexity or account recovery policies

• HTTPS Mixed Content

• Missing HTTP security headers

• Known SSL issues

• SSL Forward Secrecy or HSTS not enabled

• Weak SSL/TLS cipher suites

• Issues related to networking protocols or industry standards not controlled by Citrix

• Sending vulnerability reports using automated tools without validation

• Use of a known-vulnerable library without evidence of exploitability

• Problems related to widely publicized CVE's

• Attacks requiring physical access to a user's unlocked device

• Reports of spam, phishing, or security best practices

• Username/email enumeration

• Bugs in content/services that are not owned/operated by Citrix

• Vulnerabilities affecting users of outdated or unsupported browsers or platforms

• Any activity that could lead to the disruption of our service (DoS)

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Content spoofing and HTML injection issues without showing an attack vector/without being able to execute JavaScript

• HTTP OPTIONS/TRACE/PUT methods enabled

• Disclosure of private IP addresses in HTTP responses

• 3rd party feature abuse (data: URL schema)

• Partner sites/services

Scope Overview

The circled services are in scope for testing:

{F1032797}

Thank you for helping keep Citrix and our users safe!