|Scope Type||Scope Name|
Alibaba looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
All the asset of Alibaba Group are in scope. The asset includes Websites, iOS apps, Android apps, Network devices etc. The assets in the structured scope list is just a guidance for your test. The scope includes these but not limited to.
Please note that if a IP belongs to Alibaba Cloud external customer, it's not
If an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html __, there is a chance this IP is belong to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a basis. If you are not sure and the impact is high, you can submit it, and we will look into your report ASAP.
For LAZADA group, only
and related iOS/Android apps of Lazada are in scope, others such as "help.lazada.sg" and "member.lazada.cn" are not.
Open redirection in track.uc.cn and track.ucweb.com are not in scope.
HTML injection in all our domains are not in scope.
or patterns like above URLs,
will consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL is consider as ONE valid report.
This is a vulnerability disclosure program and therefore we will not be rewarding bounties on the HackerOne platform. However, If your report has been triaged and validated then you are able to submit a copy of your report to ASRC in order to receive a bounty. Our ASRC site also provides a hall of fame. Please add the prefix [h1-report_id] to the report title when report on ASRC, so that we will know it's from HackerOne. For example: [h1-40111111]Alibaba Reflected XSS on xxx.com.
To have a better communication with everyone, ASRC runs a security-themed
meetup once a month in this year in Singapore, named 'Alibaba Security Meetup
Hacker Community Event'.
Alibaba Security Meetup is a security event jointly hosted by Lazada and ASRC. The event will be held once a month at the Lazada visitor center.The goal of these meet-ups is to build a strong 'Security community' at the South East Asia.
You are welcomed to come to any event if you are interested and have time. The most recent event will be hold on Wednesday, May 29th in Singapore. Here is the link for our event: https://www.meetup.com/A-CON-Meetup/events/261346398/ __.
If you have any questions, please feel free to contact us. Thanks
Alibaba will make a best effort to meet the following response targets for
hackers participating in our program:
· Time to first response (from report submit) - 5 business days
· Time to triage (from report submit) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
Please do not discuss any vulnerabilities (even resolved ones) outside of the program. Alibaba does not currently support public disclosure at this moment in time.
Follow HackerOne's disclosure guidelines.
NOTE: The targets will be production environment, please:
· Be cautious when performing any high-risk action. If your testing may affect the stability, usability, or integrity of the application(s), please provide a proof of Concept only, if we require you to go further we will give our express authorisation to do so.
· You're free to register your own test accounts, but please limit your testing to only accounts you control.
· Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
· Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
· Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
· When duplicates occur, the HackerOne reputation awards process will be followed, for more information see reputation
· Multiple vulnerabilities caused by one underlying issue will be recognised as one vulnerability. under the one fix rule.
· Social engineering (e.g. phishing, vishing, smishing) is prohibited.
· Do not perform large scale scanning on the targets.
· Do not perform any kind of DoS or DDoS attacks.
· If you happen to find a critical issue, please do not leverage that vulnerability to go deeper (for instance, don't use SQLi or RCE to exfiltrate data, etc).
Researchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.
· Large scale Users’ Sensitive Information Leakage
· Large scale Order details Leakage
· SQL Injection
· Remote Code Execution (RCE)
· XML External Entity Attacks (XXE)
· Access Control Issues
· Server-Side Request Forgery (SSRF)
· Cross-site Scripting (XSS)
· Cross-site Request Forgery (CSRF) in important functions
The following finding types are specifically excluded:
· Vulnerabilities affecting users of outdated browsers or platforms
· Flash-based XSS
· Email Spoof
· Session fixation
· Content Spoofing
· Missing cookie flags
· Best practices/issues
· HTML content injection
· Mixed content warnings
· Clickjacking/UI redressing
· Physical or social engineering attacks
· Reflected file download attacks (RFD)
· Carriage Return Line Feed injection (CRLF)
· Login/logout/unauthenticated/low-impact CSRF
· Unverified Results of automated tools or scanners
· No SPF/DMARC in non-email domains/subdomains
· Attacks requiring MITM or physical access to a user's device
· Issues related to networking protocols or industry standards
· Error information disclosure that cannot be used to make a direct attack
· Missing security-related HTTP headers which do not lead directly to a vulnerability