Vimeo engineers work hard to ensure that our site and users are 100% safe and sound. We greatly respect the work of security experts everywhere, and strive to stay up to date with the latest security techniques. But nobody's perfect. Should you encounter a security vulnerability in one of our products, we want to hear from you.
Before submitting a report, please review our guidelines below as to what constitutes a security vulnerability, and how we'd like you to go about finding them. Once you've filed a report, we promise to work expeditiously to evaluate and resolve any valid bugs.
Bounties are awarded based on merit at our discretion.
Requirements for your submission to be eligible for a bounty reward:
You must demonstrate a vulnerability with proof/evidence. When hunting for bugs and when providing evidence, please only use your own accounts. Do not use or access other people’s data or accounts at any time.
You must be the “first reporter.” Please understand that we have an active security team that does regular internal testing, contracts out for pentests, developers fixing issues on their own, etc. If they happen to file the same issue before yours, they will count as the “first reporter” and your report will be considered a duplicate.
The underlying issue must be unique, ie. multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Your report must be in scope. Please look over the scope table at the end of this policy before submitting a report. We want to help reduce your risk of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.
Suggestions to ensure fast processing and maximum bounty:
Communicate respectfully and professionally at all times**
Provide detailed reproducible steps. This is important.
Explain the potential impact
Submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Your report does not necessarily need to include a full exploit. Did you come across a spicy bug which has a good impact, but you’re missing one or two pieces needed to complete the exploit? Send it our way, we’d be happy to take a look and might even consider it without it being fully complete.
DO NOT use automated tools or scanners. Reports as such will be closed as N/A.
DO NOT DDoS or otherwise attack us in a way that would disrupt service for our customers.
DO NOT disclose or discuss any vulnerability, even resolved ones, outside of the program at any time without express consent from Vimeo. Please see our Disclosure Policy below for instructions on requesting permission for disclosure.
DO NOT attempt to access other people's private data or accounts. Basic Vimeo accounts are free, so setting up example cases with throwaway accounts should be easy.
Vimeo and HackerOne will make best efforts to meet the following SLAs for hackers participating in our program:
HackerOne aims to complete initial triage within 2 days after you submit your report
Vimeo will complete final triage within 3 business days after the H1 triage
Vimeo will award the full bounty immediately once we confirm that it’s not a duplicate and we intend to fix it
Vimeo is a HackerOne managed program. HackerOne currently has a commitment to complete initial triage within 2 days after you submit your report. Once they finish initial triage, they will pass the report back to Vimeo so that we may conduct final triage. Items in the Triaged state alone will NOT be considered accepted until Vimeo makes a final decision, which we will signify with a full bounty payout.
Please be aware that, even if the HackerOne team has triaged a ticket, the Vimeo team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide to not fix the issue. Further note, that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.
We’re open to accepting any valid in-scope security issue, but we’re especially interested in the following issues:
SSRF : Vimeo’s backend is full of microservices which communicate to each other and sometimes with partial or full control over the HTTP requests thus making us prone to this type of attack.
Injection (OS, SQL etc)
Authentication & OAuth Vulnerabilities
XSS
Video privacy bypass
Note, that you report does not necessarily need to include a full exploit. Did you come across a spicy bug which has a good impact, but you’re missing one or two pieces needed to complete the exploit? Send it our way — we’d be happy to take a look and might even consider it without it being fully complete.
Basic Vimeo accounts are free, but Vimeo offers additional features to our customers via our paid plans. We’d like to give our bug bounty researchers access to these paid plans free of charge so that they may test all the extra functionality that is available only in those plans.
To be eligible for a paid account, you must meet at least one of the following qualifications:
OR
OR
Please take the time to provide a clear proof of concept that shows how a particular vulnerability is exploitable. You must be able to reproduce the issue on request with your account(s). Use the following table to categorize security issues.
Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.
| Severity (Minimum) | Severity (Maximum) | Vulnerability Type | Bug Examples | |
|--------------------|--------------------|----------------------------------------------------------|-----------------------------------------------------------------------------------------|---|
| Critical | Critical | OS Shell Execution | Remote Code Execution; Code Injection; OS Command Injection | |
| Medium | Critical | SQL Injection | SQL Injection (Inband SQLi; Blind SQLi) | |
| Medium | Critical | Server-Side Request Forgery | SSRF (unrestricted); Content-Restricted SSRF; Error-based SSRF (true/false); Blind SSRF | |
| Low | Critical | Incorrect Permission Assignment | IDOR; Horizontal Privilege Escalation; Vertical Privilege Escalation | |
| High | Critical | Improper Restriction of XML External Entity Reference | XXE | |
| High | Critical | Uncontrolled Format String | Insecure Deserialisation | |
| Medium | High | Inconsistent Interpretation of HTTP Requests | HTTP Request Smuggling | |
| Low | Critical | Inclusion of Functionality from Untrusted Control Sphere | Server Side Includes Injection; Local File Inclusion; Directory Traversal | |
| Low | Critical | Missing Authentication for Critical Function | Exposed Administrative Interface | |
| Low | Critical | Information Exposure | Exposure of PII; Credentials on GitHub; Confidential Information Exposure | |
| Low | Critical | Incorrect Authorization | Authorization Bypass; Account Takeover | |
| Medium | Medium | Download of Code Without Integrity Check | S3 Bucket Upload | |
| Medium | High | Cross-Site Scripting | Different type of XSS | |
| Low | High | Cross-Site Request Forgery | State-Changing CSRF; Non-State-Changing CSRF | |
| Low | Medium | Misconfiguration | Subdomain Takeover; Dangling DNS Record | |
| Low | Medium | CRLF Injection | CRLF Injection | |
User enumeration
Open redirect (Unless chained to show an impact)
Reports from automated tools or scans
Missing rate limits, unless it can lead to account takeover
Missing cookie flags on non-sensitive cookies
Logout CSRF attacks (unless chained to show an impactful exploit)
Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept and not just a report from a scanner)
Reports of window.opener redirects
Open SMTP redirects (just because it looks like you can use our servers doesn't mean it's true-- unless you have a PoC)
Email related attacks including spoofing or any issues related to SPF, DKIM or DMARC
Clickjacking on static websites
Content spoofing / text injection
Use of a known vulnerable library (without evidence of exploitability)
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering attacks
Missing HTTP security headers (unless you deliver a proof of concept that leverages their absence)
Self-XSS
Denial of service attacks, do not perform them
3rd party sites used by Vimeo
Subdomain takeovers where someone has signed up for an account, forwarded to an external site that doesn't exist/can be compromised
RCE on sites that link or are redirected from Vimeo
Exploits that require the attacker to have access to the user’s device or external account (phone, laptop, email, 2FA token, etc)
Issues where the user’s device or account (phone, laptop, email, etc) have been rooted, malwared, bot'd, etc.
Vimeo understands that disclosure helps the infosec community and strengthens your professional reputation.
If you wish to disclose a specific issue, you must receive explicit prior approval from Vimeo.
Please do not discuss any vulnerabilities, even resolved ones, outside of the program at any time without express consent from Vimeo.
Please request a disclosure by commenting on the report within HackerOne and we’ll kick off an internal disclosure process promptly.
Vimeo reserves the right to approve or deny any request for disclosure for any reason and at our sole discretion.
Only Resolved reports requested by the original reporter are eligible for disclosure. All other reports (Informative, NA, Spam) are not eligible for disclosure of any kind, in or outside the HackerOne platform.-
Duplicate reports are not eligible for disclosure. Only the original reporter is eligible for disclosure
Should a researcher break any disclosure or program policies, that researcher shall no longer be protected under Safe Harbor and will be subject to legal action at our discretion. Furthermore, failure to comply with these rules may result in a program ban for all company properties (Vimeo, Livestream, VHX, Magisto) .
In addition to these rules, please also follow HackerOne's disclosure guidelines
Thank you for helping Vimeo, Inc. and its subsidiaries (“Vimeo”). Vimeo provides this Safe Harbor Statement to encourage and facilitate research using HackerOne’s bug bounty program to help us identify bugs and vulnerabilities.
We authorize access to our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s then-current policies. We will not consider your good faith activities in this regard to violate applicable criminal or civil laws (even if those activities inadvertently exceed the scope of our authorization), such as the Digital Millennium Copyright Act or Computer Fraud and Abuse Act, and we will not commence legal action with respect to such activities.
If legal action is commenced against you as a result of your good faith activities, Vimeo will take steps to make it known to parties commencing such action that your activities were conducted in accordance with this Safe Harbor Statement.
To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.
Please note that this Safe Harbor Statement does not extend to systems, services, and applications that we do not control.
We encourage you to contact us if you have questions regarding the scope of this Safe Harbor Statement. You may do so through HackerOne or by emailing us at bugbounty@vimeo.com.
Thanks for helping us fight the good fight!
Scope Type | Scope Name |
---|---|
android_application | com.vimeo.android.videoapp |
android_application | com.vimeocreate.videoeditor.moviemaker |
ios_application | 425194759 |
ios_application | 1491791513 |
web_application | player.vimeo.com |
web_application | www.vimeo.com |
web_application | *.vimeo.com |
web_application | api.vimeo.com |
web_application | checkout.vimeo.com |
web_application | vimeo.com/ondemand |
web_application | *.cloud.vimeo.com |
web_application | vimeo.com/api |
web_application | vimeopro.com |
web_application | vimeo.com/create |
web_application | vimeo.magisto.com |
Scope Type | Scope Name |
---|---|
mobile_applications | All |
web_application | *.email.vimeo.com |
web_application | vimeo.atlassian.net |
web_application | *.wirewax.com |
web_application | *.wirewax.app |
web_application | *.wibbitz.com |
The progam has been crawled by Firebounty on 2015-01-05 and updated on 2020-04-11, 574 reports have been received so far.
FireBounty © 2015-2024