Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Alibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 5 days |

| Time to Bounty | 2 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Reward Level

Because Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business:

Core Business: Products and services that related to buyers, sellers, trades and shops on in-scope domains.

Normal Business: Products and services that not related to buyers, sellers, trades and shops on in-scope domains.

Core business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.

Level 1

| Critical | High | Medium | Low

| ------------- | ------------- | ------------- | ------------- | ------------- |

| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50

Level 2

| Critical | High | Medium | Low

| ------------- | ------------- | ------------- | ------------- | ------------- |

| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30

Access

Researchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

For the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.

You may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!

Things to note about the Scope

Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.

If an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.

Vulnerabilities in:

.anydomain.com|cn/[/]login.htm .anydomain.com|cn/[/]mini[*]login.htm

.anydomain.com|cn/[/]icbu[*]login.htm

or patterns like above URLs,

will consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.

Same vulnerabilities on different country sites are consider as ONE valid report.

Aliyuncs.com

Front-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.

RCE

RCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.

RCE on other network services, such as a cloud server, will no higher than High severity.

Stored XSS

Only stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.

Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:

Vulnerabilities that requires user visit certain URL or attacker controlled URL, for example:

• Reflected XSS

• Stored XSS that need to visit certain URL or need a user interaction

• CSRF

• CORS

• Jsonp Hijacking

• OAuth Hijacking

• Privilege Escalation

• Unused or abandoned subdomain takeover

• Arbitrary file upload that only leads to Stored XSS etc.

Assessment Guidelines for SSRF Vulnerability Severity

Alibaba has identified four main types of SSRF for its businesses:

1.SSRF on Production Network Services

2.Blind SSRF on Production Network Services

3.SSRF on Cloud Server

4.Blind SSRF on Cloud Server

Please note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.

* Open source project of Alibaba

Open source project of Alibaba and Aliyun on Github is NOT in this program's scope. If you find any vulnerabilities, you can report it on ASRC: https://security.alibaba.com/ .

Out of scope vulnerabilities

The following finding types are specifically excluded:

• Vulnerabilities affecting users of outdated browsers or platforms

• Account brute force

• Account takeover via CSRF/OAUTH etc.

• Self-XSS

• Flash-based XSS

• Tabnabbing

• Email Spoof

• Session fixation

• Content Spoofing

• Missing cookie flags

• Best practices/issues

• HTML content injection

• Mixed content warnings

• Clickjacking/UI redressing

• HTTPS/SSL/TLS Related Issues

• Physical or social engineering attacks

• Reflected file download attacks (RFD)

• Issues that require unlikely user interaction

• Login/logout/unauthenticated/low-impact CSRF

• Unverified Results of automated tools or scanners

• No SPF/DMARC in non-email domains/subdomains

• Attacks requiring MITM or physical access to a user's device

• Issues related to networking protocols or industry standards

• Carriage Return Line Feed injection without direct impact (CRLF)

• Error information disclosure that cannot be used to make a direct attack

• Missing security-related HTTP headers which do not lead directly to a vulnerability

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Contacting the team

• Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.

• Events & Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our Twitter for updates.

Thank you for helping keep Alibaba and our users safe!