FireBounty
46829 policies in database
Link to program      
2022-04-19
Caterpillar logo
Thank
Gift
HOF
Reward

Caterpillar

Vulnerability Disclosure Policy

At Caterpillar, information security is foundational to our strategy. Therefore, we are committed to securing our products, systems and assets.

Caterpillar looks forward to working with the security research community to find potential vulnerabilities and keep our businesses and customers safe. If you believe that you have information about a potential cybersecurity vulnerability related to Caterpillar or our affiliates, please submit it pursuant to this policy.

Thank you in advance for your submission. We appreciate the security research community assisting in our security efforts.

Response Targets

We aim to respond to all report submissions containing a new potential vulnerability within five business days and will strive to keep you informed of our progress throughout the process.

Disclosure Policy Guidelines:

  • Notify us as soon as possible after you discover a real or potential security issue.

  • Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).

  • In return for our consideration of your submission, you:

  • (1) acknowledge such consideration is sufficient;

  • (2) waive any claims related to confidentiality;

  • and (3) grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted.

  • Provide detailed reports with reproducible steps. Screenshots are welcome. If the report is not detailed enough to reproduce the issue, we may not be able to duplicate or identify the issue and we may close the submission.

  • Submit one vulnerability per report. If a new vulnerability requires, or is linked to another vulnerability, please identify the other vulnerability in the submission. Multiple submissions for the same vulnerability (e.g., different domains, same underlying issue) will be treated as duplicate submissions.

  • Ask for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.

Program Rules:

  • Please keep automated testing to 100 requests per second. Going above this threshold may result in being removed from the program.

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express authorization from Caterpillar.

  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.

  • Only interact with accounts you own or with explicit permission of the account holder.

  • Do not cause harm to Caterpillar, our customers or others.

  • Do not compromise the privacy or safety of Caterpillar, our customers or others and do not compromise the operation of our services. This includes, without limitation:

  • Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data.

  • Do not alter, save, store, transfer, or otherwise access data, and immediately purge any data that you may have stored locally (e.g., cached) upon reporting the vulnerability to us.

  • Act in good faith to avoid privacy violations, destruction of data and interruption or degradation of our services.

  • Do not violate any laws, including any privacy or data security laws.

  • Do not conduct research on out-of-scope vulnerabilities.

  • Only use exploits to the extent it is both reasonable and necessary to confirm a vulnerability’s presence. * Do not use an exploit to compromise or exfiltrate data, establish persistent command line access or to probe other systems.

Test Plan:

  • When signing up for any of Caterpillar's domain, please use your wearehackerone.com alias.

Eligibility:

  • You must be 18 years of age or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.

  • You are an individual security researcher participating in your own individual capacity.

  • If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing, and abiding by, your employer’s rules for participating in this program.

Researchers who meet any of the following criteria are ineligible for participation:

  • A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, Syria, or Crimea; nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.

In Scope

  • All iOS and Android Apps owned by Caterpillar

Out of Scope Vulnerabilities

Any vulnerabilities requiring physical proximity to a Caterpillar facility, machines, equipment, or other hardware and any software, firmware or other components of such machines, equipment, or hardware (collectively, “Cat Equipment”) are out of scope. Additionally, when reporting vulnerabilities, please consider (1) attack scenario/exploitability and (2) security impact of the vulnerability.

The following issues are also considered out of scope:

  • Vulnerabilities requiring social engineering/phishing to exploit. Including, but not limited to:

  • Session Cookie reuse

  • Open redirect vulnerabilities

  • Open ports which do not lead directly to a vulnerability

  • Distributed Denial of Service Attacks

  • Presence of autocomplete attribute on web forms

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

  • Attacks requiring MITM or physical access to a device

  • Previously known vulnerable libraries without a working proof of concept

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability

  • Missing best practices in SSL/TLS configuration

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Rate limiting or brute force issues on non-authentication endpoints

  • Missing best practices in Content Security Policy

  • Missing HttpOnly or secure flags on cookies

  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version)

  • Software version disclosure/banner identification issues/descriptive error messages or headers (e.g., stack traces, application or server errors)

  • Tabnabbing

  • Open redirects - unless an additional security impact can be demonstrated

  • Issues that require unlikely user interaction

Safe Harbor

We agree to not pursue civil action against you if we determine, in our sole discretion, that you complied with Caterpillar’s and HackerOne’s policies regarding this vulnerability disclosure program; however, we cannot represent the position of any third parties, including but not limited to owners of Caterpillar products, subscribers to Caterpillar services. In the event of a conflict between this policy and any HackerOne policy, this policy applies.


Firebounty have crawled on 2022-04-19 the program Caterpillar on the platform Hackerone.

FireBounty © 2015-2024

Legal notices | Privacy policy