Evernote looks forward to working with the security community to find security
vulnerabilities in order to keep our business and customers safe.
Evernote will try to meet the following response targets for hackers
participating in our program:
- Time to first response (from report submit) - 5 business days
- Time to triage (from report submit) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
- This is a private program and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.
- Follow HackerOne's disclosure guidelines .
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) security impact of the bug. The following
issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Password, email and account policies, such as email id verification, reset link expiration, password complexity.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Self-XSS and issues exploitable only through Self-XSS
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Hosting malware/arbitrary content on Evernote and causing downloads.
- Rate limiting or bruteforce issues on non-authentication endpoints
- Reports from automated tools or scans.
- Reports of spam (i.e., any report involving ability to send emails without rate limits).
- Login/Forgot Password page account bruteforce or account lockout not enforced
- Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)
- Missing HttpOnly or Secure flags on cookies
- Presence of autocomplete attribute on web forms.
- Any report that discusses how you can learn whether a given username, email address has a Evernote account.
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Any report on bypassing our storage limits etc. is out of scope.
- Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.
- Absence of rate limiting, unless related to authentication.
- IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.
- Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Third party hosted services
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Evernote and our users safe!
This program have been found on Hackerone on 2020-02-11.