52212 policies in database
Link to program      
2021-08-11
Elastic logo
Thank
Gift
HOF
Reward

Reward

Elastic

The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.

Elastic's bounty structure falls under two umbrellas: Product Vulnerabilities & Other. While we accept vulnerabilities on any assets that we own/control, we are particularly interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.

PRODUCT BUG BOUNTY AMOUNTS

We are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!

Our code is open so use that to your advantage!

| SEVERITY | REWARD | CVSS SCORE |

|---------- |------------ | -------- |

| Critical | $3,000-$7,000 | 9.0 - 10.0 |

| High | $1,500-$3,000 | 7.0 - 8.9 |

| Medium | $700-$1500 | 4.0 - 6.9 |

| Low | $150-$700 | 0.1 - 3.9 |

OTHER BOUNTY AMOUNTS

Any other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:

| SEVERITY | REWARD | CVSS SCORE |

|---------- |------------ | -------- |

| Critical | $800-$2,000 | 9.0 - 10.0 |

| High | $400-$800 | 7.0 - 8.9 |

| Medium | $200-$400 | 4.0 - 6.9 |

| Low | $100-$200 | 0.1 - 3.9 |

ELASTIC BUG BOUNTY EVENTS!

We're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.

ELASTIC SYNTHETICS PROMOTION

While currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our Synthetics Recorder application.

To get access, do the following steps:

  1. Create a new deployment on cloud using an account with your @wearehackerone.com email alias.

  2. Once in the deployment, go to the Observability application and pick the "Uptime"

  3. Go to the Monitor Management tab

  4. Fill out the request form.

  5. Wait 24 hours for our team to approve you.

  6. Find bugs

  7. Get paid!

Because we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:

| SEVERITY | REWARD | CVSS SCORE |

|---------- |------------ | -------- |

| Critical | $6,000-$14,000 | 9.0 - 10.0 |

| High | $3,000-$6,000 | 7.0 - 8.9 |

| Medium | $1,400-$3,000 | 4.0 - 6.9 |

| Low | $300-$1,400 | 0.1 - 3.9 |

Please reach out to security@elastic.co if you have any questions about this promotion!

SPECIAL ACHIEVEMENTS

These achievements will rotate as our program grows/matures. So keep an eye out for new achievements!

| ACHIVEMENT | BONUS | Hacker |

|---------- |------------ | -------- |

| Regicide - Displace the current leaderboard leader. Can only be claimed by each researcher once. | $1,000 | subhashx , d0xing, dee-see, alexbrasetvik|

| For Crying out Cloud - Work-around a fix for an existing bug on Cloud | $200 | |

| Elastic it to The Man - Be the first hacker to achieve RCE on Cloud | $5,000 | alexbrasetvik |

| Master of Puppets - Be the first hacker to achieve ATO on Cloud | $5,000 | |

| Space Invaders - Give yourself access to a Kibana space which you don't have access to | $500 | |

| Stairway to Seven - Report 7 consecutive valid bugs | $700 | streaak, alexbrasetvik, dee-see, d0xing |

| Key-nesian Economics - Find sensitive API keys/credentials committed in our source code | $500 | mateuszek

|

| | | |

What we're interested in

  • Attacks that lead to compromise of Elastic user data

  • Widespread compromise of Elastic user accounts

  • Remote code execution on systems and applications

  • Access to administrator/superuser accounts

  • Arbitrary access to a user’s sensitive data/functionality

  • Kibana XSS and CSRF

  • Bypass JSM restrictions

  • Access to underlying containers

  • Access to unauthorized data as authenticated user

  • Privilege escalation as authenticated user to non superuser

  • Authenticated SSRF

  • Sites accepting authentication without https protections

Expectations

  • If you report a subdomain takeover, please document your findings in order to write the report.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

  • Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.

Disclosure

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Follow HackerOne's disclosure guidelines.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Out of scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:

*Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing best practices in SSL/TLS configuration.

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Lack of Rate limiting or bruteforce issues

  • Missing best practices in Content Security Policy.

  • Missing HttpOnly or Secure flags on cookies

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

  • Tabnabbing

  • Issues that require unlikely user interaction

  • Open Redirects that are not chained into a more impactful vulnerability

  • Broken links in documentation

  • Issues where an attacker gets access to paid features for free or at a discount

Stipulations

To be eligible for the Bug Bounty Program, you must not:

  • Be employed by Elastic or any subsidiary;

  • Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than 6 months ago.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Elastic and our users safe!

In Scope

Scope Type Scope Name
other

other

other

All Elastic Products

other

Elastic Package Registry

other

Elastic Synthetics Monitoring

web_application

www.elastic.co

web_application

cloud.elastic.co

web_application

*.elastic.co

web_application

elasticsearch-ci.elastic.co

web_application

*.found.io

web_application

*.swiftype.com

web_application

*.elstc.co

web_application

*.elasticnet.co

web_application

*.eops.nl

web_application

*.elastic-cloud.com

web_application

elastic-cloud.com

web_application

https://github.com/elastic/elasticsearch

web_application

https://github.com/elastic/kibana

web_application

https://github.com/elastic/logstash

web_application

https://github.com/elastic/beats

Out of Scope

Scope Type Scope Name
web_application

go.es.co

web_application

info.elastic.co

web_application

learn.elastic.co

web_application

elasticon.elastic.co

web_application

training.elastic.co

web_application

link.email.elastic.co

web_application

track.email.elastic.co

web_application

sendgrid.elastic.co

web_application

wiki.elastic.co

web_application

https://github.com/elastic/*/wiki

web_application

*.ctf.elstc.co

web_application

https://github.com/swiftype/*/wiki

web_application

community.elastic.co

web_application

discuss.elastic.co

web_application

jobs.elastic.co

web_application

partners.elastic.co


This policy crawled by Onyphe on the 2021-08-11 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy