The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.
Elastic's bounty structure falls under two umbrellas: Product Vulnerabilities & Other. While we accept vulnerabilities on any assets that we own/control, we are particularly interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.
We are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!
Our code is open so use that to your advantage!
| SEVERITY | REWARD | CVSS SCORE |
|---------- |------------ | -------- |
| Critical | $3,000-$7,000 | 9.0 - 10.0 |
| High | $1,500-$3,000 | 7.0 - 8.9 |
| Medium | $700-$1500 | 4.0 - 6.9 |
| Low | $150-$700 | 0.1 - 3.9 |
Any other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:
| SEVERITY | REWARD | CVSS SCORE |
|---------- |------------ | -------- |
| Critical | $800-$2,000 | 9.0 - 10.0 |
| High | $400-$800 | 7.0 - 8.9 |
| Medium | $200-$400 | 4.0 - 6.9 |
| Low | $100-$200 | 0.1 - 3.9 |
We're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.
While currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our Synthetics Recorder application.
To get access, do the following steps:
Create a new deployment on cloud using an account with your @wearehackerone.com email alias.
Once in the deployment, go to the Observability application and pick the "Uptime"
Go to the Monitor Management tab
Fill out the request form.
Wait 24 hours for our team to approve you.
Find bugs
Get paid!
Because we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:
| SEVERITY | REWARD | CVSS SCORE |
|---------- |------------ | -------- |
| Critical | $6,000-$14,000 | 9.0 - 10.0 |
| High | $3,000-$6,000 | 7.0 - 8.9 |
| Medium | $1,400-$3,000 | 4.0 - 6.9 |
| Low | $300-$1,400 | 0.1 - 3.9 |
Please reach out to security@elastic.co if you have any questions about this promotion!
These achievements will rotate as our program grows/matures. So keep an eye out for new achievements!
| ACHIVEMENT | BONUS | Hacker |
|---------- |------------ | -------- |
| Regicide - Displace the current leaderboard leader. Can only be claimed by each researcher once. | $1,000 | subhashx , d0xing, dee-see, alexbrasetvik|
| For Crying out Cloud - Work-around a fix for an existing bug on Cloud | $200 | |
| Elastic it to The Man - Be the first hacker to achieve RCE on Cloud | $5,000 | alexbrasetvik |
| Master of Puppets - Be the first hacker to achieve ATO on Cloud | $5,000 | |
| Space Invaders - Give yourself access to a Kibana space which you don't have access to | $500 | |
| Stairway to Seven - Report 7 consecutive valid bugs | $700 | streaak, alexbrasetvik, dee-see, d0xing |
| Key-nesian Economics - Find sensitive API keys/credentials committed in our source code | $500 | mateuszek
|
| | | |
Attacks that lead to compromise of Elastic user data
Widespread compromise of Elastic user accounts
Remote code execution on systems and applications
Access to administrator/superuser accounts
Arbitrary access to a user’s sensitive data/functionality
Kibana XSS and CSRF
Bypass JSM restrictions
Access to underlying containers
Access to unauthorized data as authenticated user
Privilege escalation as authenticated user to non superuser
Authenticated SSRF
Sites accepting authentication without https protections
If you report a subdomain takeover, please document your findings in order to write the report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Scope
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:
*Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Lack of Rate limiting or bruteforce issues
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Issues that require unlikely user interaction
Open Redirects that are not chained into a more impactful vulnerability
Broken links in documentation
Issues where an attacker gets access to paid features for free or at a discount
To be eligible for the Bug Bounty Program, you must not:
Be employed by Elastic or any subsidiary;
Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than 6
months ago.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Elastic and our users safe!
Scope Type | Scope Name |
---|---|
other | other |
other | All Elastic Products |
other | Elastic Package Registry |
other | Elastic Synthetics Monitoring |
web_application | www.elastic.co |
web_application | cloud.elastic.co |
web_application | *.elastic.co |
web_application | elasticsearch-ci.elastic.co |
web_application | *.found.io |
web_application | *.swiftype.com |
web_application | *.elstc.co |
web_application | *.elasticnet.co |
web_application | *.eops.nl |
web_application | *.elastic-cloud.com |
web_application | elastic-cloud.com |
web_application | https://github.com/elastic/elasticsearch |
web_application | https://github.com/elastic/kibana |
web_application | https://github.com/elastic/logstash |
web_application | https://github.com/elastic/beats |
Scope Type | Scope Name |
---|---|
web_application | go.es.co |
web_application | info.elastic.co |
web_application | learn.elastic.co |
web_application | elasticon.elastic.co |
web_application | training.elastic.co |
web_application | link.email.elastic.co |
web_application | track.email.elastic.co |
web_application | sendgrid.elastic.co |
web_application | wiki.elastic.co |
web_application | https://github.com/elastic/*/wiki |
web_application | *.ctf.elstc.co |
web_application | https://github.com/swiftype/*/wiki |
web_application | community.elastic.co |
web_application | discuss.elastic.co |
web_application | jobs.elastic.co |
web_application | partners.elastic.co |
This policy crawled by Onyphe on the 2021-08-11 is sorted as bounty.
FireBounty © 2015-2024