Alibaba looks forward to working with the security community to find security
vulnerabilities in order to keep our businesses and customers safe.
All the asset of Alibaba Group is in scope. The asset includes Websites,
Network devices etc. The assets in the structured scope list is just a
guidance for your test. The scope includes these but not limited to.
Please note that if a IP belongs to Alibaba Cloud external customer, it's not
Alibaba will make a best effort to meet the following response targets for
hackers participating in our program:
- Time to first response (from report submit) - 5 business days
- Time to triage (from report submit) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
Please do not discuss this program or any vulnerabilities (even resolved ones)
outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines
NOTE: The targets will be production environment, please:
- Be cautious when performing any high-risk action. If your testing may affect the stability, usability, or integrity of the application(s), please provide a proof of Concept only, if we require you to go further we will give our express authorisation to do so.
- You're free to register your own test accounts, but please limit your testing to only accounts you control.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, the HackerOne reputation awards process will be followed, for more information see reputation
- Multiple vulnerabilities caused by one underlying issue will be recognised as one vulnerability. under the one fix rule.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Do not perform large scale scanning on the targets.
- Do not perform any kind of DoS or DDoS attacks.
- If you happen to find a critical issue, please do not leverage that vulnerability to go deeper (for instance, don't use SQLi or RCE to exfiltrate data, etc).
This is a vulnerability disclosure program and therefore we will not be
rewarding bounties. If your report has been triaged and validated then you are
able to submit a copy of your report to ASRC in order to receive a bounty. Our
ASRC __site also provides a hall of fame
__. Please add the prefix
[h1-report_id] to the report title when report on ASRC, so that we will know
it's from HackerOne. For example: [h1-40111111]Alibaba Reflected XSS on
Researchers are free to create their own seller, buyer, etc., accounts on the
in-scope applications. No credentials or privileged access will be provided by
Alibaba, so accounts are limited to what users can create on their own.
- Large scale Users’ Sensitive Information Leakage
- Large scale Order details Leakage
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues
- Server-Side Request Forgery (SSRF)
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF) in important functions
The following finding types are specifically excluded:
- Vulnerabilities affecting users of outdated browsers or platforms
- Flash-based XSS
- Email Spoof
- Session fixation
- Content Spoofing
- Missing cookie flags
- Best practices/issues
- Mixed content warnings
- Clickjacking/UI redressing
- Physical or social engineering attacks
- Reflected file download attacks (RFD)
- Carriage Return Line Feed injection (CRLF)
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user's device
- Issues related to networking protocols or industry standards
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Hall of Fame