Company

TeamViewer Germany GmbH is the market leader for remote control.

It has been installed over 2.3 billions time on any type of operating system and provides connectivity for anyone, anywhere, anytime.

Program Rules

• We strongly believe into crowd testing and responsible disclosure model. It helps the industry, it protects users and contributes making the internet a safer place.
• If you believe you've found a security vulnerability in our service, we are happy to work with you to resolve the issue promptly and ensure that you are fairly rewarded for your discovery
• Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and TeamViewer Germany GmbH infrastructure. Your work should be non-destructive and remain within a proof of concept framework.

Eligibility and Responsible Disclosure

• We are happy to thank everyone who submits valid reports which help us improve the security of TeamViewer Germany GmbH however, only those that meet the following eligibility requirements may receive a monetary reward:
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below)
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of TeamViewer Germany GmbH nor one of its contractor.
• Reports about vulnerabilities are examined and validated by our security analysts.

Scope details

For now, the scope of this program is limited to the following:

TeamViewer Remote

• TeamViewer Remote Client

  • TeamViewer Remote desktop client. Available for free download here: https://www.teamviewer.com/en/products/teamviewer/

  • web.teamviewer.com

  • web.teamviewer.com is the web version of the client

  • account.teamviewer.com

  • account.teamviewer.com is the associated login service

  • login.teamviewer.com

  • login.teamviewer.com is the management console of TeamViewer Remote

  • TeamViewer Remote Control App

  • TeamViewer Remote Control App is the mobile version of the TeamViewer client. Available for Android and iOS.

  • TeamViewer QuickSupport App

  • TeamViewer QuickSupport App is a mobile client only for incoming remote sessions. Available for Android and iOS.

  • Teamviewer Host App

  • Teamviewer Host App is a mobile app for unattended access to a mobile device. Only available for Android.

Backend services you might directly interact with from the client app are considered part of the scope.

Reports of leaks and exposed credentials

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
• Exposed PII on an out-of-scope asset

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.