DAILYMOTION’S VULNERABILITY RESPONSIBLE DISCLOSURE POLICY
Capitalized terms used in this vulnerability disclosure policy (“Policy”) and
not otherwise defined have the meaning ascribed to such terms in our Terms of
Security is one of Dailymotion’s core values. We highly value the time and
effort invested in good faith by security researchers in helping us build a
more secure platform for our partners and users. As such, we encourage the
responsible disclosure of vulnerabilities related to Dailymotion’s products,
websites and APIs. This Policy sets out the rules under which we expect the
research and reporting of vulnerabilities to be conducted, as well as what you
can expect from us in return.
If you are a security researcher and have discovered a security vulnerability
in the Services, we appreciate your help in disclosing it to us in a
If you would like to report a security issue, you may do so using any of the
1. Program Purpose
Maintaining top-notch security online is a community effort and a high
priority for Dailymotion. We're lucky to have a vibrant group of independent
security researchers who volunteer their time to help us spot potential
issues. However, no matter how much effort we put into our security
maintenance, vulnerabilities can still be present. To recognize the efforts of
independent security researchers and the important role they play in keeping
Dailymotion safe for everyone, we offer a bounty for reporting certain
qualifying security vulnerabilities (the "Bug Bounty Program" or "Program").
Please review the following Program rules before you report a vulnerability.
By participating in this Program, you agree to be bound by these rules.
Dailymotion may provide rewards to eligible reporters of qualifying
vulnerabilities (see section 5 and 6 below).
Reward amounts may vary depending upon the severity of the vulnerability
reported and based on the CVSS environmental score (Dailymotion will rate the
base, temporal and environmental CVSS metrics). Dailymotion will determine in
its sole discretion whether a reward should be granted and the amount of the
reward. Our minimum reward is 50 Euros.
This is not a contest or competition. Rewards may be provided on an ongoing
basis so long as this program is active.
For reference, the following table outlines the scoring scale and bounty value
for vulnerabilities affecting in-scope components (see section 3 below):
Rating | CVSS score | Bounty
None | 0.0 | No bounty
Low | 0.1 - 3.9 | 50 €
Medium | 4.0 - 6.9 | 70 - 150 €
High | 7.0 - 8.9 | 300 – 700 €
Critical | 9.0 - 10.0 | 700 - 1500 €
The sites and applications hosted under one of the following domains are
within the scope for this Program:
- our official Dailymotion applications on the Google play store, Apple app store, PlayStation and Microsoft store.
Vulnerabilities reported on other services or applications owned by
Dailymotion are currently not eligible for monetary reward and will be handled
as a responsible disclosure. As they come into scope, they will be added to
We have several levels of privileges on the product: unauthenticated user,
authenticated user, partner, partner with a verification badge. We invite you
to go and explore the attack surface that is specific with each of these
profiles as they are all in-scope.
- Partner accounts are only granted to users after they have accepted the terms of our Dailymotion Partner Program Agreement.
- If you want to test the features exposed only to partners with a verification badge, please file a request on firstname.lastname@example.org so as to be provided with a verification badge for a previously-created partner account. For practical reasons, Dailymotion reserves the right to evaluate and deny such requests on a case by case basis; typically, we will only consider requests from hunters who have previously reported at least one qualifying vulnerability with a CVSS score of 1 or higher.
4 Eligibility for Bounty
We are very thankful to everyone who submits valid reports which help us
improve the security of Dailymotion. However, only those that meet the
following eligibility criteria may receive a monetary reward under the Bug
- You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded);
- The vulnerability must be a qualifying vulnerability (see sections 5 and 6 below) associated with a site or application in Scope;
- You must send a clear textual description of the report along with steps to reproduce the issue, please include attachments such as screenshots or proof of concept code as necessary;
- You must not be a former or current employee of Dailymotion or one of its contractors;
- The submission must be received after the launch of this Policy (the date of which is stipulated at the bottom).
We intend to respond and resolve reported issues as quickly as possible.
Depending on our workload and the severity of the issue you can expect an
update from us within 96 hours of the report's initial submission date.
Note that posting details or conversations about the report or posting details
that reflect negatively on the Program or the Dailymotion brand, will result
in immediate disqualification from ongoing and upcoming reward programs.
You must comply with all applicable laws in connection with your participation
in this program. You are also responsible for any applicable taxes associated
with any reward you receive.
Dailymotion reserves the right to modify the terms of this Program or
terminate this Program at any time.
5 Qualifying Vulnerabilities
Any design or implementation issue that is reproducible and substantially
affects the security of Dailymotion users is likely to qualify as a
vulnerability for the Program. Common examples include:
- Remote Code Execution (RCE)
- SQL injections
- OS Command Injections
- XML eXternal Entities injection (XXE)
- Server Side Request Forgery
- Insecure direct object reference
- Insecure object deserealization
- Authentication bypass
- Unprotected APIs
- Application logic flaws that can be leveraged with an impact on our security, or our users'
- Open redirects
- XSS and CSRF (please note that – unless otherwise demonstrated - we will tend to score the user session related vulnerabilities with a low impact in the environmental score)
6 Non-Qualifying Vulnerabilities
The following issues are outside the scope of our Bug Bounty Program (either
ineligible or false positives):
- Attacks requiring physical access to a user's device
- Information disclosure
- Password and account recovery policies, such as reset link expiration or password complexity
- Missing security headers which do not directly lead to a vulnerability
- HttpOnly and Secure cookie flags
- HTTPS configurations derivations from "state of the art" (such as HSTS settings, Secure flag for cookies, "weak" TLS cithers, etc)
- Clickjacking on static websites
- XSS attacks via POST requests or self XSS (unless you provide a PoC that show impact on other Dailymotion customers)
- Content spoofing / text injection
- Denial of service attacks
- Absence of rate-limiting
- Use of a known-vulnerable library without evidence of exploitability
- Issues related to software or protocols not under Dailymotion control
- Reports from automated tools or scans
- Reports of spam
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms
- Social engineering of Dailymotion (current or past) staff or contractors
- Any physical attempts against Dailymotion's property or data centers
- Concerns related to email domain authentication
- Un-reproducible issues
- Logout CSRF and CSRF on non-authenticated actions
- User enumeration
7. Ground Rules
In order to avoid any confusion between good-faith security research and
fraudulent or malicious behaviors, we ask you to comply with the following
rules when looking for, testing and reporting vulnerabilities:
- Take all reasonable measures to only interact with test accounts you have created on the platform;
- Do not use physical attacks on our security, social engineering, distributed denial of service, spam or applications of third parties;
- If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to the minimum required for effectively demonstrating a Proof of Concept. Also cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst case scenario.
- Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
- Report any vulnerability you’ve discovered promptly (i.e. within days, not weeks). Do not take advantage of the vulnerability or problem;
- Only use the specified communication channels listed below to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible (see Section 8 below for further information);
- Do not disclose vulnerabilities you've discovered publicly or to any third party until we have formally authorized you to do so in writing;
- Obviously do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.
8. Communication Channels
If you would like to report a security issue, you may do so using any of the
If you think you’ve found a vulnerability, please do not publicly disclose
these details outside of this process without explicit permission. Please
include the following details with your report and be as descriptive as
- The exact location location (vulnerable URLs and parameters) and nature of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful).
- A relevant attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.
When working with us according to this Policy, you can expect us to:
- Work with you to understand and evaluate your report, including an initial response to the report within 96 hours of the report's submission;
- Work to remedy discovered vulnerabilities in a timely manner;
- Consider your submission in the context of the Bug Bounty Program, irrespective of if you have initially reported the issue through the Bug Bounty Program's platform.
- If interested in the Bug Bounty Program, please make sure that you have read and understood the scope of vulnerabilities which qualify for our reward program prior to submitting a report.
- Please note that our Bug Bounty Program may not be able to issue rewards to individuals who are located in countries where we are prohibited by law from making payments, such as countries on the EU or US sanctions lists.
- Handle your report with confidentiality and respect written requests for anonymity.
- Please note that if your submission is eligible for our reward program, the payment process will require you to disclose your identity to our Bug Bounty Program's payment partner, for legal reasons.
10. Legal Matters
When conducting vulnerability research In accordance with the terms specified
in this Policy, we consider this research to be:
- Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
We won’t take legal action against, suspend, or terminate access to the
Service of those who discover and report security vulnerabilities responsibly.
Dailymotion reserves all of its legal rights in the event of any
If at any time you have concerns or are uncertain whether your security
research is consistent with this Policy, please submit a report through one of
our above mentioned communication channels (in Section 8) before going any
Last updated: October 8, 2018