FireBounty TeamViewer - Bounty Program Vulnerability Disclosure Program

Link to program

2024-02-12

2025-03-11

Thank

Gift

HOF

Reward

TeamViewer - Bounty Program

TeamViewer Germany GmbH is the market leader for remote control.

It has been installed over 2.3 billions time on any type of operating system and provides connectivity for anyone, anywhere, anytime.

We strongly believe into crowd testing and responsible disclosure model. It helps the industry, it protects users and contributes making the internet a safer place.
If you believe you've found a security vulnerability in our service, we are happy to work with you to resolve the issue promptly and ensure that you are fairly rewarded for your discovery
Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and TeamViewer Germany GmbH infrastructure. Your work should be non-destructive and remain within a proof of concept framework.

We are happy to thank everyone who submits valid reports which help us improve the security of TeamViewer Germany GmbH however, only those that meet the following eligibility requirements may receive a monetary reward:
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below)
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
You must not leak, manipulate, or destroy any user data.
You must not be a former or current employee of TeamViewer Germany GmbH nor one of its contractor.
Reports about vulnerabilities are examined and validated by our security analysts.

For now, the scope of this program is limited to the following:

TeamViewer Remote

TeamViewer Remote Client
- TeamViewer Remote desktop client. Available for free download here: https://www.teamviewer.com/en/products/teamviewer/
- web.teamviewer.com
- web.teamviewer.com is the web version of the client
- account.teamviewer.com
- account.teamviewer.com is the associated login service
- login.teamviewer.com
- login.teamviewer.com is the management console of TeamViewer Remote
- TeamViewer Remote Control App
- TeamViewer Remote Control App is the mobile version of the TeamViewer client. Available for Android and iOS.
- TeamViewer QuickSupport App
- TeamViewer QuickSupport App is a mobile client only for incoming remote sessions. Available for Android and iOS.
- Teamviewer Host App
- Teamviewer Host App is a mobile app for unattended access to a mobile device. Only available for Android.

Backend services you might directly interact with from the client app are considered part of the scope.

Scope Type	Scope Name
android_application	https://play.google.com/store/apps/details?id=com.teamviewer.teamviewer.market.mobile&hl=en&gl=US
android_application	https://play.google.com/store/apps/details?id=com.teamviewer.quicksupport.market&hl=en&gl=US
android_application	https://play.google.com/store/apps/details?id=com.teamviewer.host.market&hl=en&gl=US
application	https://www.teamviewer.com/en/products/teamviewer/
ios_application	https://apps.apple.com/de/app/teamviewer-remote-control/id692035811
ios_application	https://apps.apple.com/de/app/teamviewer-quicksupport/id661649585
web_application	https://web.teamviewer.com
web_application	https://account.teamviewer.com
web_application	https://login.teamviewer.com

Scope Type	Scope Name
undefined	All domains not listed In-Scope

This policy crawled by Onyphe on the 2024-02-12 is sorted as bounty.