20117 policies in database
Link to program      
2021-08-11
Elastic logo
Thank
Gift
HOF
Reward

Reward

Elastic

The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.

Elastic's bounty structure falls under two umbrellas: Product Vulnerabilities & Other. While we accept vulnerabilities on any assets that we own/control, we are particularly interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.

PRODUCT BUG BOUNTY AMOUNTS

We are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!

Our code is open so use that to your advantage!

| SEVERITY | REWARD | CVSS SCORE |

|---------- |------------ | -------- |

| Critical | $3,000-$7,000 | 9.0 - 10.0 |

| High | $1,500-$3,000 | 7.0 - 8.9 |

| Medium | $700-$1500 | 4.0 - 6.9 |

| Low | $150-$700 | 0.1 - 3.9 |

OTHER BOUNTY AMOUNTS

Any other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:

| SEVERITY | REWARD | CVSS SCORE |

|---------- |------------ | -------- |

| Critical | $800-$2,000 | 9.0 - 10.0 |

| High | $400-$800 | 7.0 - 8.9 |

| Medium | $200-$400 | 4.0 - 6.9 |

| Low | $100-$200 | 0.1 - 3.9 |

SPECIAL ACHIEVEMENTS

These achievements will rotate as our program grows/matures. So keep an eye out for new achievements!

| ACHIVEMENT | BONUS | Hacker |

|---------- |------------ | -------- |

| Regicide - Displace the current leaderboard leader. Can only be claimed by each researcher once. | $1,000 | subhashx , d0xing, dee-see, alexbrasetvik|

| For Crying out Cloud - Work-around a fix for an existing bug on Cloud | $200 | |

| Elastic it to The Man - Be the first hacker to achieve RCE on Cloud | $5,000 | alexbrasetvik |

| Master of Puppets - Be the first hacker to achieve ATO on Cloud | $5,000 | |

| Space Invaders - Give yourself access to a Kibana space which you don't have access to | $500 | |

| Stairway to Seven - Report 7 consecutive valid bugs | $700 | streaak, alexbrasetvik, dee-see, d0xing |

| Key-nesian Economics - Find sensitive API keys/credentials committed in our source code | $500 | |

| | | |

ELASTIC BUG BOUNTY EVENTS!

We're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.

We are currently in-between events - stay tuned in the coming weeks for our next event announcement!

What we're interested in

  • Attacks that lead to compromise of Elastic user data

  • Widespread compromise of Elastic user accounts

  • Remote code execution on systems and applications

  • Access to administrator/superuser accounts

  • Arbitrary access to a user’s sensitive data/functionality

  • Kibana XSS and CSRF

  • Bypass JSM restrictions

  • Access to underlying containers

  • Access to unauthorized data as authenticated user

  • Privilege escalation as authenticated user to non superuser

  • Authenticated SSRF

  • Sites accepting authentication without https protections

Expectations

  • If you report a subdomain takeover, please document your findings in order to write the report.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

  • Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.

Disclosure

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Follow HackerOne's disclosure guidelines.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Out of scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:

*Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing best practices in SSL/TLS configuration.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Rate limiting or bruteforce issues on non-authentication endpoints

  • Missing best practices in Content Security Policy.

  • Missing HttpOnly or Secure flags on cookies

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

  • Tabnabbing

  • Issues that require unlikely user interaction

  • Open Redirects that are not chained into a more impactful vulnerability

Stipulations

To be eligible for the Bug Bounty Program, you must not:

  • Be employed by Elastic or any subsidiary;

  • Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than 6 months ago.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Elastic and our users safe!

In Scope

Scope Type Scope Name
other

other

other

All Elastic Products

web_application

www.elastic.co

web_application

cloud.elastic.co

web_application

*.elastic.co

web_application

elasticsearch-ci.elastic.co

web_application

*.found.io

web_application

*.swiftype.com

web_application

*.elstc.co

web_application

*.elasticnet.co

web_application

*.eops.nl

web_application

*.elastic-cloud.com

web_application

elastic-cloud.com

web_application

https://github.com/elastic/elasticsearch

web_application

https://github.com/elastic/kibana

web_application

https://github.com/elastic/logstash

web_application

https://github.com/elastic/beats

Out of Scope

Scope Type Scope Name
web_application

go.es.co

web_application

info.elastic.co

web_application

learn.elastic.co

web_application

elasticon.elastic.co

web_application

training.elastic.co

web_application

link.email.elastic.co

web_application

track.email.elastic.co

web_application

sendgrid.elastic.co

web_application

wiki.elastic.co

web_application

https://github.com/elastic/*/wiki

web_application

*.ctf.elstc.co

web_application

https://github.com/swiftype/*/wiki

web_application

community.elastic.co

web_application

discuss.elastic.co


This policy crawled by Onyphe on the 2021-08-11 is sorted as bounty.

FireBounty © 2015-2021

Legal notices