|Scope Type||Scope Name|
|ios_application||https://itunes.apple.com/us/app/find-what-feels-good- yoga/id1050813703?mt=8 __|
|other||Branded Customer Roku Apps|
|other||Branded Customer iOS Apps|
|other||Branded Customer Android Apps|
|web_application||The VHX homepage at vhx.tv redirects to a login page at ott.vimeo.com. Please submit these reports to the VHX program.|
Out of Scope
|Scope Type||Scope Name|
|android_application||This is out of scope effective 3/15/2019. Please use branded apps for testing.|
|ios_application||The base VHX app is no longer in scope as of 3/15/2019. Please test on branded apps.|
VHX engineers work hard to ensure that our site and users are 100% safe and sound. We greatly respect the work of security experts everywhere, and strive to stay up to date with the latest security techniques. But nobody's perfect. Should you encounter a security vulnerability in one of our products, we want to hear from you.
Before submitting a report, please review our guidelines below as to what constitutes a security vulnerability, and how we'd like you to go about finding them. Once you've filed a report, we promise to work expeditiously to evaluate and resolve any valid bugs.
Bounties are awarded based on merit at our discretion. After 3 medium or higher code based fixes, you can request to get a mention on our Bug Hall of Fame __.
Please read this section before submitting a report. We want to help reduce your chance of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.
api.vhx.tv. Our API docs __
*.vhx.tv, except for
community.vhx.tv(And only if the issue that would affect every site, not how a current customer configured it)
Please take the time to provide a clear proof of concept that shows how a particular vulnerability is exploitable. You must be able to reproduce the issue on request with your account(s). Use the following guidelines to categorize security issues.
Critical: most impactful, Remote code execution, SQLi, root access to any systems
High: Insecure direct object references, stored xss that can be used against logged in users, account authentication issues (bypass etc)
Medium: stored or reflected cross site scripting, other novel bugs that have a security impact to many users
Low: CSRF missing from non excluded functions, other security issues that impact only a small subset of users
Wont fix: information disclosure, see also other non qualifying vulnerabilities
We do appreciate reports containing CVSSv3 formatted scores (https://www.first.org/cvss/calculator/3.0 __)
Reports from automated scanners will not be accepted.
We are primarily interested in exploits that could compromise user privacy or expose content in unintended ways that fit the rest of our rules and don't conflict with the non-qualifying vulnerabilities.
VHX will make a best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process. We welcome cases where you've retested and find it has been fixed, as another ticket may have been the source.
VHX is a HackerOne managed program. HackerOne currently has a 2 day commitment to initial triage. Once they do triage, they will pass it back to VHX. Items in Triage state alone will NOT be considered accepted by the program until final disposition is made by VHX, which will be denoted by a post triage acceptance bounty payout ($100). This initial payout will be deducted from the final bounty payout, if any. Tickets may be triaged by HackerOne, but later marked duplicate or other by VHX. Where developers have already begun remedying the problem before ticket submission, triage, or even post triage acceptance bounty award are deemed to be ineligible for triage. (The can be self closed or marked duplicate with no links as the tickets will be in our internal ticket system).
Past the initial post triage acceptance bounty award, an additional bounty/bonus/both, at our discretion, may be awarded at ticket completion. Only tickets that have been paid the post triage acceptance bounty award, have been picked up and worked by a developer and have been verified by the researcher are eligible to be put into a "RESOLVED" state signaling completion. Each ticket starts out at the bottom of a baseline range that takes into account initial perceived severity, as well as type. From there, it goes up (rarely down) given various factors (Including but not limited to: Actual final perceived severity, completeness of report, ease of working with the researcher, etc). All payouts are suggested by at least one person, approved by another.
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
Thank you for helping Vimeo, Inc. and its subsidiaries (Of which VHX is one) (“Vimeo”). Vimeo provides this Safe Harbor Statement to encourage and facilitate research using HackerOne’s bug bounty program to help us identify bugs and vulnerabilities.
We authorize to access our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s then-current policies. We will not consider your good faith activities in this regard to violate applicable criminal or civil laws (even if those activities inadvertently exceed the scope of our authorization), such as the Digital Millennium Copyright Act or Computer Fraud and Abuse Act, and we will not commence legal action with respect to such activities.
If legal action is commenced against you as a result of your good faith activities, Vimeo will take steps to make it known to parties commencing such action that your activities were conducted in accordance with this Safe Harbor Statement.
To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.
Please note that this Safe Harbor Statement does not extend to systems, services, and applications that we do not control.
We encourage you to contact us if you have questions regarding the scope of this Safe Harbor Statement. You may do so through HackerOne or by emailing us at email@example.com.
**Thanks for helping us fight the good fight! *