Acronis
Acronis looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
We respect the time and effort of our researchers
We will respond within 5 business days
We will process reports within 10 business days
We will determine bounty amount within 10 business days after triage
We will do our best to keep you informed about our progress throughout the process
Be an ethical hacker and respect other users' privacy
Register accounts using your [username]+x@wearehackerone.com addresses
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
If you do any automated scanning against Web resources and API-s make sure to place your @wearehackerone email into User-Agent header
Automated scanning tools must be limited to 5 requests per second to one target host summing up all tools and threads running in parallel
Violation of these rules might result in ineligibility for a bounty or permanent ban
Social engineering (e.g. phishing, vishing, smishing) is prohibited
Only interact with accounts you own or with the explicit permission of the account holder
If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Acronis and may not be retained
Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Acronis or other users' accounts or data or post-exploitation of other vulnerabilities. Stop, report what you have found and request additional testing permission
Use the following commands to demonstrate command execution vulnerabilities
| Non-root | Root |
|:-----------------------------|:---------------------------------|
| id | id |
| cat /etc/hosts | cat /proc/1/maps |
| touch ~/[your H1 username] | touch /root/[your H1 username] |
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted
Request access to Acronis Cyber Cloud beta environment by sending an email to security-bounty-accounts@acronis.com with ACCOUNT-REQUEST:[username] in subject. Make sure to provide your H1 username, not email. For instance, account request for user acronis should have the subject ACCOUNT-REQUEST:acronis
You can find Acronis Cyber Cloud API documentation at developer.acronis.com
If you want to test mobile applications, request trial for Acronis Cyber Cloud by completing registration
Request trial for Acronis Cyber Backup by completing registration
Download trial version of Acronis Cyber Protect Home Office (formerly Acronis True Image) here
You can find quickstart guides and more information about Acronis products and services at kb.acronis.com
Note that some vulnerabilities may already be fixed in the beta versions (check assets description)
When duplicates occur, we only award the first report that we receive
If a vulnerability is fixed in the beta version we will consider it as duplicate
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
Follow HackerOne's disclosure guidelines
No vulnerability disclosure is allowed without express consent from Acronis. This rule applies to any vulnerability details as well as information obtained during exploitation even for resolved issues
We may request up to 180 days of additional time after disclosure request or report resolution to remediate the issue. This time is usually required to distribute the fixed version among our customers
Besides disclosing reports on HackerOne, we also publish details about discovered vulnerabilities and corresponding security updates in Acronis Advisory Database
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Acronis and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.acronis.acronistrueimage |
| android_application | com.acronis.abc |
| application | Acronis Agent |
| application | Acronis Cyber Protect |
| application | Acronis DeviceLock DLP |
| application | Acronis Snap Deploy |
| application | Acronis Cyber Protect Home Office (formerly Acronis True Image) |
| ios_application | 1118448159 |
| ios_application | 978342143 |
| ios_application | 429704844 |
| ios_application | 1192506963 |
| other | Other Acronis Domains |
| other | Acronis Cyber Infrastructure |
| web_application | beta-baas.acronis.com |
| web_application | -api-.acronis.com |
| web_application | *.acronis.com |
| web_application | account.acronis.com |
| web_application | *.5nine.com |
| web_application | *.devicelock.com |
| web_application | *.acronis.work |
This policy crawled by Onyphe on the 2020-08-11 is sorted as bounty.
FireBounty © 2015-2024
