Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.

Response Targets

Evernote will try to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.

• Follow HackerOne's disclosure guidelines.

Program Rules

• All automated scanning must include your H1 username in the user agent in order to be eligible for bounty.

• All authenticated testing must be performed using @wearehackerone aliases.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.

• You must not be employed by Evernote or its subsidiaries or related entities.

Test Plan

• www.evernote.com (excluding evernote.com)

https://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.

• stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers:

https://docs.adyen.com/development-resources/test-cards/test-card-numbers

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Password, email and account policies, such as email id verification, reset link expiration, password complexity.

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Self-XSS and issues exploitable only through Self-XSS

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Hosting malware/arbitrary content on Evernote and causing downloads.

• Rate limiting or bruteforce issues on non-authentication endpoints

• Reports from automated tools or scans.

• Reports of spam (i.e., any report involving ability to send emails without rate limits).

• Login/Forgot Password page account bruteforce or account lockout not enforced

• Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)

• Missing HttpOnly or Secure flags on cookies

• Presence of autocomplete attribute on web forms.

• Any report that discusses how you can learn whether a given username, email address has a Evernote account.

• Any access to data where the targeted user needs to be operating a rooted mobile device.

• Any report on bypassing our storage limits etc. is out of scope.

• Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.

• Absence of rate limiting, unless related to authentication.

• IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.

• Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Third party hosted services

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Evernote and our users safe!