Fidelity
Fidelity Vulnerability Disclosure Program Policy
============
Table of Contents
============
Safe Harbor
Program Eligibility
Program Rules
Legal
Response Times
Test Instructions
Scope Exclusions
I. Vulnerability Disclosure Program
=============
Fidelity looks forward to working with the security community to identify and responsibly disclose vulnerabilities in the domain(s) designated in scope in this Policy in order to keep our business and customers safe. If you have any information about or discover security vulnerabilities that could impact Fidelity or our customers, please submit a report in accordance with this policy (“Policy”). By participating in our Vulnerability Disclosure Program (“Program”) and submitting your findings, you confirm that you meet our Program Eligibility terms and accept and agree to be bound by this Policy.
1. Safe Harbor
Any activities conducted in a manner consistent with this Policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this Policy, we will make it known that your actions were conducted in compliance with this Policy. Fidelity reserves all legal rights in the event of noncompliance with this Policy or applicable law.
2. Program Eligibility
You are at least 18 years of age.
You are not a resident of, or located in, any country against which the United States has issued sanctions or other trade restrictions and are not a person (or affiliated with a company or organization) designated in the U.S. Department of the Treasury’s Specially Designated Nationals List.
Follow HackerOne’s Disclosure Guidelines.
You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the Policy or applicable law.
You are the first to submit a sufficiently reproducible report for a vulnerability – this is a requirement to be eligible for the report to be accepted and triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Publicly-known Zero-day vulnerabilities will not be considered until more than 30 days have passed since patch availability.
Fidelity employees are not eligible for participation in this Program.
3. Program Rules
Do:
Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.
Exercise caution when testing to avoid negative impact to us and our customers and the services we and they depend on.
STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, immediately report your initial finding(s) and request authorization to continue testing.
Do NOT:
Do not Brute force credentials or guess credentials to gain access to systems.
Do not participate in denial of service attacks.
Do not upload shells or create a backdoor of any kind.
Do not engage in any form of social engineering of Fidelity employees, customers, or vendors.
Do not test third party assets, subdomains managed by third parties, or any domains listed as out of scope in this Policy. Please check our publicly published IP ranges and conduct all necessary due diligence to determine ownership of an asset prior to testing.
Do not engage or target any Fidelity employee, customer, or vendor during your testing.
Do not access, modify, copy, download, delete, compromise or otherwise misuse others’ data or access non-public information without authorization. Do not attempt to extract, download, or otherwise exfiltrate any non-public data other than your own.
If you encounter any sensitive data, including personally identifiable information (PII), financial information, or proprietary information, you must stop your test, immediately notify Fidelity, and not disclose this data to anyone else.
Do not change passwords of any account that is not yours. If ever prompted to change a password of an account that is nor yours, stop and report the finding immediately.
Do not do anything that would be considered a privacy violation, cause destruction of data, or engage in any activity that can potentially or actually interrupt, degrade, or stop our services or assets or that can potentially or actually harm Fidelity, our customers, employees, or vendors.
Do not interact with accounts you do not own.
Do not send more than 100 requests per second per unique domain.
Do not initiate a fraudulent financial transaction.
Do not engage in any activity that violates (a) U.S. federal or state laws, regulations, or rules or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
Do not mass scan Fidelity domains. Offending IP addresses may be blocked.
Do not exploit beyond what is necessary to demonstrate vulnerability presence. You need to show that you could exploit a vulnerability, but you must not actually exploit it.
Do not access content of communications, data, or information on Fidelity systems except to the extent that information directly relates to the vulnerability and is necessary to prove the vulnerability exists.
Do not discuss the Program or any vulnerabilities you discover outside the Program or share any Report (as defined below) with any third parties without Fidelity’s express written consent. Do not store or share non-public data obtained through testing except to the extent necessary to communicate the finding to the Fidelity.
Do not contact the Fidelity security team directly about the status of a HackerOne report you have submitted. Please keep all communications within the HackerOne platform.
Do not upload or share proof of concept videos or write ups of reported issues on third-party platforms.
4. Legal
You acknowledge and agree that any and all information you receive, collect, encounter, obtain, or otherwise acquire, access or generate about us, our products and services, our affiliates, customers, employees, service providers, or agents in connection with the Program (whether before or after you participate in the Program, including as a result of you finding and/or investigating a vulnerability in our domains) and any information regarding your participation in our Program (collectively, “Fidelity Confidential Information”) must be kept confidential, only used in connection with Program and not disclosed to any third party except to HackerOne as expressly permitted under this Policy.
You have no rights, title or ownership to any Fidelity Confidential Information, and you may not use, disclose or distribute any such Fidelity Confidential Information, including any reports, except to HackerOne as required for your participation in the Program.
By participating in our Program, you represent and warrant that (1) you will hold the Fidelity Confidential Information in strict confidence, (2) you have not used and will not use Fidelity Confidential Information for any purpose other than in connection with the Program, and (3) you have not and will not copy, reproduce, sell, assign, license, market, transfer, or otherwise dispose of, give, disclose or share such Fidelity Confidential Information with any third party, except for disclosing certain Fidelity Confidential Information to HackerOne as expressly permitted under this Policy.
By reporting a vulnerability under our Program, you hereby represent and warrant that your report, including any information and materials submitted therewith (collectively, “Report”) is original to you and you own all right, title and interest in the Report. As a condition to your participation in our Program and by submitting a Report, you hereby grant to Fidelity and its affiliates a perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free exclusive right and license to reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Report for any purpose. You hereby waive all claims, including breach of contract or implied-in-fact contract, arising from your Report.
After a Report has been submitted, we reserve the right to request from you, and you hereby accept to abide by such request, to immediately securely and permanently delete any data related to such Report, including, without limitation, any Fidelity Confidential Information in your possession or control. Additionally, you agree to immediately securely and permanently delete any data related to the Report upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported vulnerability, after verifying with the Fidelity security team via the HackerOne platform that it is no longer necessary.
If you engage in any activities that are inconsistent with this Policy or the law, you may be subject to criminal and/or civil liabilities.
Fidelity reserves the right to terminate or modify the Program at any time without prior written notice to you, and you accept any modification to this Policy if you participate in the Program ,. Please check this site regularly for any updates to this Policy, which are effective upon posting. You can subscribe to receive email notifications when this Policy is updated.
II. Submission Process
=============
1. Response Times
| Type of Response | Target (business days) |
| ------------- | ------------- |
| First Response | 1 day |
| Time to Triage | 5 days |
| Time to Resolution | depends on severity and complexity |
2. Test Instructions
We strongly recommend you use a customized user agent header in your HTTP(S) requests, for example:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 vdp-hackeroneusername
For non-HTTP requests we strongly recommend you add an identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker: h1:<vdp-hackeroneusername>. If you forget to tag your traffic, please list your IP in the submission form.
No credentials are required or provided for this Program. If you self-register for any accounts, please register with your @ wearehackerone.com email address. You may not use exposed credentials to continue testing without Fidelity’s express written approval.
3. Scope Exclusions
Fidelity reserves the right to add to and subtract from this Scope Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance*
Clickjacking on pages with no sensitive actions.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions including login/logout functionalities.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working proof of concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests.
Missing best practices including Content Security Policy and HttpOnly or Secure flags on cookies.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version).
Tabnabbing.
Issues that require unlikely user interaction by the victim.
Self XSS if can’t be chained with other vulnerabilities to demonstrate impact.
Security vulnerabilities in third-party products (SaaS) or websites that are not under Fidelity direct control.
Disclosure of known public files or directories, (e.g. robots.txt).
Missing best practices in SSL/TLS configuration.
III. FAQ's
============
Can I get Fidelity swag?
Fidelity does not currently offer swag
Can Fidelity provide me with a pre-configured test account?
This Program does not provide credentials or any special access
What causes a report to be closed as Informative, Duplicate, N/A, or Spam?
What is an example of an accepted vulnerability?
Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this Program’s specific scope. The report must also meet any submission criteria outlined in our Program policy, such as test plan instructions and a working proof of concept.
Thank you for helping keep Fidelity and our users safe!
| Scope Type | Scope Name |
|---|---|
| web_application | *.fidelity.com |
| Scope Type | Scope Name |
|---|---|
| web_application | china.fidelity.com |
| web_application | www.boundless.fidelity.com |
| web_application | testjobs.fidelity.com |
| web_application | www.jobs.fidelity.com |
| web_application | india.fidelity.com |
| web_application | www.india.fidelity.com |
| web_application | boundless.fidelity.com |
| web_application | social.fidelity.com |
| web_application | reviews.fidelity.com |
| web_application | social.retail.fidelity.com |
| web_application | reviews.retail.fidelity.com |
| web_application | sitecatalyst.fidelity.com |
| web_application | jobs.fidelity.com |
This program crawled on the 2022-07-14 is sorted as bounty.
FireBounty © 2015-2024
