Banner object (1)

Hack and Take the Cash !

684 bounties in database
08/10/2018

Reward

50 € 

Dailymotion public bug bounty

Rules

DAILYMOTION’S VULNERABILITY RESPONSIBLE DISCLOSURE POLICY

Capitalized terms used in this vulnerability disclosure policy (“Policy”) and not otherwise defined have the meaning ascribed to such terms in our Terms of Use.

Security is one of Dailymotion’s core values. We highly value the time and effort invested in good faith by security researchers in helping us build a more secure platform for our partners and users. As such, we encourage the responsible disclosure of vulnerabilities related to Dailymotion’s products, websites and APIs. This Policy sets out the rules under which we expect the research and reporting of vulnerabilities to be conducted, as well as what you can expect from us in return.

If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.

If you would like to report a security issue, you may do so using any of the following channels:

1. Program Purpose

Maintaining top-notch security online is a community effort and a high priority for Dailymotion. We're lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. However, no matter how much effort we put into our security maintenance, vulnerabilities can still be present. To recognize the efforts of independent security researchers and the important role they play in keeping Dailymotion safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities (the "Bug Bounty Program" or "Program"). Please review the following Program rules before you report a vulnerability. By participating in this Program, you agree to be bound by these rules.

2. Rewards

Dailymotion may provide rewards to eligible reporters of qualifying vulnerabilities (see section 5 and 6 below).

Reward amounts may vary depending upon the severity of the vulnerability reported and based on the CVSS environmental score (Dailymotion will rate the base, temporal and environmental CVSS metrics). Dailymotion will determine in its sole discretion whether a reward should be granted and the amount of the reward. Our minimum reward is 50 Euros.

This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.

For reference, the following table outlines the scoring scale and bounty value for vulnerabilities affecting in-scope components (see section 3 below):

Rating | CVSS score | Bounty
---|---|---
None | 0.0 | No bounty
Low | 0.1 - 3.9 | 50 €
Medium | 4.0 - 6.9 | 70 - 150 €
High | 7.0 - 8.9 | 300 – 700 €
Critical | 9.0 - 10.0 | 700 - 1500 €

3. Scope

The sites and applications hosted under one of the following domains are within the scope for this Program:

  • *.dailymotion.com
  • *.api.dailymotion.com
  • developer.dailymotion.com
  • *.dmcdn.net
  • our official Dailymotion applications on the Google play store, Apple app store, PlayStation and Microsoft store.
  • AS41690

Vulnerabilities reported on other services or applications owned by Dailymotion are currently not eligible for monetary reward and will be handled as a responsible disclosure. As they come into scope, they will be added to this section.

IMPORTANT NOTE

We have several levels of privileges on the product: unauthenticated user, authenticated user, partner, partner with a verification badge. We invite you to go and explore the attack surface that is specific with each of these profiles as they are all in-scope.

  • Partner accounts are only granted to users after they have accepted the terms of our Dailymotion Partner Program Agreement.
  • If you want to test the features exposed only to partners with a verification badge, please file a request on security@dailymotion.com so as to be provided with a verification badge for a previously-created partner account. For practical reasons, Dailymotion reserves the right to evaluate and deny such requests on a case by case basis; typically, we will only consider requests from hunters who have previously reported at least one qualifying vulnerability with a CVSS score of 3 or higher.

4 Eligibility for Bounty

We are very thankful to everyone who submits valid reports which help us improve the security of Dailymotion. However, only those that meet the following eligibility criteria may receive a monetary reward under the Bug Bounty Program:

  • You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded);
  • The vulnerability must be a qualifying vulnerability (see sections 5 and 6 below) associated with a site or application in Scope;
  • You must send a clear textual description of the report along with steps to reproduce the issue, please include attachments such as screenshots or proof of concept code as necessary;
  • You must not be a former or current employee of Dailymotion or one of its contractors;
  • The submission must be received after the launch of this Policy (the date of which is stipulated at the bottom).

We intend to respond and resolve reported issues as quickly as possible. Depending on our workload and the severity of the issue you can expect an update from us within 96 hours of the report's initial submission date.

Note that posting details or conversations about the report or posting details that reflect negatively on the Program or the Dailymotion brand, will result in immediate disqualification from ongoing and upcoming reward programs.

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

Dailymotion reserves the right to modify the terms of this Program or terminate this Program at any time.

5 Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Dailymotion users is likely to qualify as a vulnerability for the Program. Common examples include:

  • Remote Code Execution (RCE)
  • SQL injections
  • OS Command Injections
  • XML eXternal Entities injection (XXE)
  • Server Side Request Forgery
  • Insecure direct object reference
  • Insecure object deserealization
  • Authentication bypass
  • Unprotected APIs
  • Application logic flaws that can be leveraged with an impact on our security, or our users'
  • SSRF
  • Open redirects
  • CSRF
  • XSS with demonstrable business impact (see Note below)

Note:
We will tend to rate user session-related XSS and CSRF vulnerabilities, whether stored or reflected, with a low impact in the environmental score. For a (very) significant majority, users are unauthenticated and the chances of successfully exploiting such vulnerabilities are therefore minimized. Typically, a reflected XSS vulnerability on our main domain and implying the theft of user cookies on www. or *.dailymotion.com will be scored with CVSS 3.3. Please note that, if you are able to demonstrate an ability to exploit these vulnerabilities in creative ways, possibly combined with other vulnerabilities found by yourself, so as to provenly increase the business impact, we will consider this final impact to evaluate the severity. In the event that we choose not to reward a technical vulnerability with no demonstrable business impact (for example because an XSS on a domain that does not host an actual website or has valuable cookies) we reserve the right to fix the technical vulnerability, in order to avoid further submission of the same issue by other researchers.

6 Non-Qualifying Vulnerabilities

The following issues are outside the scope of our Bug Bounty Program (either ineligible or false positives):

  • Attacks requiring physical access to a user's device
  • Information disclosure
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Missing security headers which do not directly lead to a vulnerability
  • HttpOnly and Secure cookie flags
  • HTTPS configurations derivations from "state of the art" (such as HSTS settings, Secure flag for cookies, "weak" TLS cithers, etc)
  • Clickjacking on static websites
  • XSS attacks via POST requests or self XSS (unless you provide a PoC that show impact on other Dailymotion customers)
  • XSS or XSRF that requires header injection
  • Content spoofing / text injection
  • Denial of service attacks
  • Absence of rate-limiting
  • Use of a known-vulnerable library without evidence of exploitability
  • Issues related to software or protocols not under Dailymotion control
  • Reports from automated tools or scans
  • Reports of spam
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms
  • Social engineering of Dailymotion (current or past) staff or contractors
  • Any physical attempts against Dailymotion's property or data centers
  • Concerns related to email domain authentication
  • Un-reproducible issues
  • Logout CSRF and CSRF on non-authenticated actions
  • User enumeration

7. Ground Rules

In order to avoid any confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing and reporting vulnerabilities:

  • Take all reasonable measures to only interact with test accounts you have created on the platform;
  • Do not use physical attacks on our security, social engineering, distributed denial of service, spam or applications of third parties;
  • If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst case scenario;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
  • Report any vulnerability you’ve discovered promptly (i.e. within days, not weeks). Do not take advantage of the vulnerability or problem;
  • Only use the specified communication channels listed below to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible (see Section 8 below for further information);
  • Do not disclose vulnerabilities you've discovered publicly or to any third party until we have formally authorized you to do so in writing;
  • Obviously do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.

8. Communication Channels

If you would like to report a security issue, you may do so using any of the following channels:

If you think you’ve found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please include the following details with your report and be as descriptive as possible:

  • Vulnerability Location & Type - The exact location(vulnerable URLs and parameters) and the nature of the vulnerability;
  • Steps to Reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful); and
  • Attack Scenario - A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.

9. Expectations

When working with us according to this Policy, you can expect us to:

  • Work with you to understand and evaluate your report, including an initial response to the report within 96 hours of the report's submission;
  • Work to remedy discovered vulnerabilities in a timely manner;
  • Consider your submission in the context of the Bug Bounty Program, irrespective of if you have initially reported the issue through the Bug Bounty Program's platform.
  • If interested in the Bug Bounty Program, please make sure that you have read and understood the scope of vulnerabilities which qualify for our reward program prior to submitting a report.
  • Please note that our Bug Bounty Program may not be able to issue rewards to individuals who are located in countries where we are prohibited by law from making payments, such as countries on the EU or US sanctions lists.
  • Handle your report with confidentiality and respect written requests for anonymity.
  • Please note that if your submission is eligible for our reward program, the payment process will require you to disclose your identity to our Bug Bounty Program's payment partner, for legal reasons.

10. Legal Matters

When conducting vulnerability research in good faith and in accordance with the terms specified in this Policy, we consider this research to be:

  • Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.

We won’t take legal action against, suspend, or terminate access to the Service for those who discover and report security vulnerabilities responsibly. Dailymotion reserves all of its legal rights in the event of any noncompliance.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our above mentioned communication channels (in Section 8) before going any further.

Last updated: October 22, 2018

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018