Alibaba looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
All the asset of Alibaba Group are in scope. The asset includes Websites, Network devices etc. The assets in the structured scope list is just a guidance for your test. The scope includes these but not limited to.
Please note that if a IP belongs to Alibaba Cloud external customer, it's not in scope.
This is a vulnerability disclosure program and therefore we will not be rewarding bounties on the HackerOne platform. However, If your report has been triaged and validated then you are able to submit a copy of your report to ASRC in order to receive a bounty. Our ASRC site also provides a hall of fame. Please add the prefix [h1-report_id] to the report title when report on ASRC, so that we will know it's from HackerOne. For example: [h1-40111111]Alibaba Reflected XSS on xxx.com.
In addition to the above rewards, Alibaba will be running a challenge coin promotion. All participating hackers who submit valid vulnerabilities from September 2018 - March 2019 will receive a limited production challenge coin — a metal medal of honor so to speak, design below.
Alibaba will make a best effort to meet the following response targets for
hackers participating in our program:
· Time to first response (from report submit) - 5 business days
· Time to triage (from report submit) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
NOTE: The targets will be production environment, please:
· Be cautious when performing any high-risk action. If your testing may affect the stability, usability, or integrity of the application(s), please provide a proof of Concept only, if we require you to go further we will give our express authorisation to do so.
· You're free to register your own test accounts, but please limit your testing to only accounts you control.
· Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
· Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
· Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
· When duplicates occur, the HackerOne reputation awards process will be followed, for more information see reputation
· Multiple vulnerabilities caused by one underlying issue will be recognised as one vulnerability. under the one fix rule.
· Social engineering (e.g. phishing, vishing, smishing) is prohibited.
· Do not perform large scale scanning on the targets.
· Do not perform any kind of DoS or DDoS attacks.
· If you happen to find a critical issue, please do not leverage that vulnerability to go deeper (for instance, don't use SQLi or RCE to exfiltrate data, etc).
Researchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.
· Large scale Users’ Sensitive Information Leakage
· Large scale Order details Leakage
· SQL Injection
· Remote Code Execution (RCE)
· XML External Entity Attacks (XXE)
· Access Control Issues
· Server-Side Request Forgery (SSRF)
· Cross-site Scripting (XSS)
· Cross-site Request Forgery (CSRF) in important functions
The following finding types are specifically excluded:
· Vulnerabilities affecting users of outdated browsers or platforms
· Flash-based XSS
· Email Spoof
· Session fixation
· Content Spoofing
· Missing cookie flags
· Best practices/issues
· Mixed content warnings
· Clickjacking/UI redressing
· Physical or social engineering attacks
· Reflected file download attacks (RFD)
· Carriage Return Line Feed injection (CRLF)
· Login/logout/unauthenticated/low-impact CSRF
· Unverified Results of automated tools or scanners
· No SPF/DMARC in non-email domains/subdomains
· Attacks requiring MITM or physical access to a user's device
· Issues related to networking protocols or industry standards
· Error information disclosure that cannot be used to make a direct attack
· Missing security-related HTTP headers which do not lead directly to a vulnerability
Contact us if you want more information.