FireBounty Harman International Lifestyle Products & Services Vulnerability Disclosure Program

Link to program

2022-12-20

Thank

Gift

HOF

Reward

Harman International Lifestyle Products & Services

Company

HARMAN International is a global leader in connected car technology, lifestyle audio
innovations, design and analytics, cloud services and IoT solutions.

About our Scopes

The scopes listed further below are intended to support the hardening of the entire ecosystem related to our JBL devices.

Be immersed in 3D surround sound with JBL’s latest soundbar launches, including the feature-packed JBL Bar 1000. A true home cinema experience without wires, the 7.1.4 channel JBL Bar 1000 uses four up-firing drivers to envelop you in a sphere of Dolby Atmos® and DTS:X 3D surround sound. The JBL Bar 300, JBL Bar 500 and JBL Bar 800 join the JBL Bar 1000 to complete the all-new JBL Bar Series.

Program Rules

We believe that no technology is perfect and that working with skilled security researchers is crucial in
identifying weaknesses in our technology.
If you believe you've found a security bug in our service, we are happy to work with you to resolve the
issue promptly and ensure you are fairly rewarded for your discovery.
Any type of denial-of-service attacks is strictly forbidden, as well as any interference with network
equipment and Harman infrastructure.

Reward Eligibility and Testing precautions

We are happy to thank everyone who submits valid reports which help us improve the security of
Harman however, only those that meet the following eligibility requirements may receive a monetary
reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below)
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively
through yeswehack.com
You must send a clear textual description of the report along with steps to reproduce the issue,
include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using
automated tools, and limit yourself about requests per second).
You must not leak, manipulate, or destroy any user data.
You must not be a former or current employee of Harman or one of its contractors.
Reports about vulnerabilities are examined by our security analysts.
Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we
pay. No vulnerability disclosure, including partial is allowed for the moment.

REVIEW DATE

This program was last reviewed: July 2024

In Scope

Scope Type	Scope Name
android_application	https://play.google.com/store/apps/details?id=com.jbl.oneapp&hl=fr&gl=US
api	lsaconsumerevents2.onecloud.harman.com
api	lsaconsumerevents3.onecloud.harman.com
api	lsaconsumerevents1.onecloud.harman.com
api	events.onecloud.harman.com
api	ota-staging.onecloud.harman.com
api	ota.onecloud.harman.com
api	apis.onecloud.harman.com
api	edgeapis.onecloud.harman.com
api	things.onecloud.harman.com
ios_application	https://apps.apple.com/fr/app/jbl-one/id1610239857
undefined	Device: JBL Bar 300
undefined	Device: JBL Bar 500
undefined	Device: JBL Bar 700
undefined	Device: JBL Bar 800
undefined	Device: JBL Bar 1000
undefined	Device: JBL Bar 1300
undefined	JBL Authentics 200
undefined	JBL Authentics 300
undefined	JBL Authentics 500
undefined	JBL Boombox 3 Wi-Fi
undefined	JBL Charge 5 Wi-Fi
undefined	JBL PartyBox Ultimate
undefined	JBL Flip 6
undefined	JBL Charge 5
web_application	a1ttqkupgmaxeg-ats.iot.us-east-1.amazonaws.com
web_application	a1ttqkupgmaxeg-ats.iot.ap-east-1.amazonaws.com

Out of Scope

Scope Type	Scope Name
web_application	Anything not explicitly listed in the Scope section is Out-Of-Scope. For example, our e-commerce websites are out of scope in this program.

This program have been found on Yeswehack on 2022-12-20.