Dell Technologies ("Dell") recognizes the value of the security community to create a more secure world and welcomes the opportunity to collaborate with community members who share this common goal.
This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Dell's public online footprint. Please carefully review the inclusions and exclusions detailed in the sections below.
Note: Dell products are excluded from this program. All vulnerabilities affecting Dell, Dell EMC and RSA products should be reported via email to the Dell Product Security Incident Response Team (Dell PSIRT) firstname.lastname@example.org. See here for more information.
This program awards points for valid in-scope submissions. This program does not provide monetary rewards.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher. Please see below for any exceptions from the standard VRT.
For submissions regarding GitHub Credentials. It is beneficial to include the sensitive information in your finding along with the link to help speed up the validation process.
This program only awards points for VRT based submissions.
Target name | Type
*.delltechnologies.com/* | Website
*.dell.com/* | Website
*.dellemc.com/* | Website
*.emc.com/* | Website
*.rsa.com/* | Website
*.boomi.com/* | Website
<https://www.rsaconference.com/> | Website
Dell EMC E-Lab Navigator (Android) | Android
Dell EMC E-Lab Navigator (iOS) | iOS
RSA Conference Mobile Application (iOS) - see below for details | iOS
RSA Conference Mobile Application (Android) - see below for details |
secureworks.com/* | Website
Target name | Type
Sites, applications, services and products that are not explicitly identified
as “in scope” | Website
Sites not owned by, maintained by, or under the control of Dell | Website
Dell, Dell EMC and RSA products | Other
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Dell not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please send the report to email@example.com.
All URLs listed in the
In scope Targets section above are publicly
accessible web applications. Researchers are invited to test all aspects of
these applications. Please note: no credentials will be provided for testing.
We are looking for any vulnerability that could negatively affect the security of our company and our customers. The main categories of vulnerabilities that we look for are the following:
Business Logic Vulnerabilities
_This program follows theBugcrowd Vulnerability Rating Taxonomy with some additional submission types we consider to be excluded below. Dell will not reward points for the following (including but not limited to) submission types: _
Open ports without an accompanying proof-of-concept (POC) demonstrating a vulnerability
Vulnerabilities only affecting users of outdated or unpatched browsers
Phishing and social engineering reports
Public disclosures made without Dell's permission will make the reporter ineligible for future participation in this or other disclosure or Bug Bounty programs offered by Dell.
Dell will not negotiate in response to duress or threats (e.g., we will not negotiate rewards under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
Use your own account for testing purposes. Do not attempt to gain access to another user’s accounts or compromise any user or Dell confidential information.
Testing must not violate any applicable laws or regulations or disrupt or compromise any data that is not your own. If you inadvertently cause a violation or disruption (such as accessing the data of other users, service configurations, or other confidential information) while testing, please report the incident immediately to firstname.lastname@example.org.
Dell will not publicly disclose the identity of any reporter without consent, except where required by law.
Please check domain records to confirm Dell ownership; avoid testing of assets not owned and controlled by Dell.
Automated vulnerability scanning tools are strictly prohibited.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks are strictly prohibited.
Dell reserves the right to change or modify the terms of this program at any time. Please check for any updates to this program before making a new submission.
You are not eligible to participate in this program if you are:
Note: If you find a vulnerability that is not in the scope of this program, please send the report email@example.com.
This program follows Bugcrowd’s standard disclosure terms.
Contact us if you want more information.