New Relic
New Relic is committed to the security of our customers and their data. We believe that engaging with security researchers through our coordinated disclosure program is an important means of achieving our security goals.
If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic. Please ensure that it is in scope for this program, paying close attention to the vulnerabilities explicitly listed below as out of scope.
==If you are a customer and have a password or account issue, please contact New Relic support.==
Getting started
============
To get the most out of our program, you should familiarize yourself with New Relic and our products. You can sign up for a free trial or developer account, install our agents within your servers or applications, and read over our extensive documentation.
You can also read our disclosed HackerOne reports or see examples of issues previously identified within our agents on our Security Bulletins page.
Reporting issues
==============
Please submit your security issue to New Relic via our coordinated disclosure program on HackerOne. Please provide as much detail as you can (URLs, etc.) and the steps to reproduce the issue. The more information you can provide, the easier it will be for us to reproduce and confirm the report. We commit to responding to your report as soon as possible!
Some New Relic assets are in scope for paid bounty rewards. The remainder are eligible for HackerOne reputation. Please refer to the assets list at the bottom of the page to see what is or is not eligible for a paid bounty reward.
Rewards are awarded based on the merit of reported vulnerabilities. Only the first verified report will be eligible for a reward.
Coordinated Disclosure Policy
========================
To encourage coordinated disclosure, New Relic does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:
Researchers will report details of a discovered security issue to New Relic without making any information or details of the vulnerability public.
Researchers will allow New Relic reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known. New Relic will follow the HackerOne disclosure guidelines, which commit to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.
Researchers will provide as much detail as possible to New Relic via a secure means in order to help New Relic’s security team and engineers reproduce the issue. If the report is not detailed enough to reproduce the issue, it will not be eligible for a reward.
When duplicates occur, we award the first report that we can completely reproduce.
Multiple reports related to the same root cause will be awarded one bounty.
Paid bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.
Only access or modify data that belongs to you. To test, please sign up for a free trial.
Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the privacy of any New Relic customer or New Relic data. This includes disrupting or degrading New Relic’s products and service to its customers.
Be aware that information submitted to a report is made visible to other researchers who have been added as collaborators from duplicate reports
When submitting a duplicate report, adding researchers as collaborators is at New Relic's discretion
The following are expressly prohibited (and void reward eligibility):
=================================================
Physical attacks against New Relic employees, offices, and data centers.
Automated security testing against New Relic applications or servers; scanning tools such as nmap or Burp Suite are perfectly acceptable for research, but we do not want reports generated by automated tools (we already run them in-house).
Social engineering of New Relic employees, contractors, vendors, or service providers (e.g. phishing, vishing, smishing, et al.).
Pursuing vulnerabilities which send unsolicited bulk messages (spam).
Pursuing vulnerabilities through the compromise of a New Relic customer or employee account (e.g. do not attempt to gain access to another user’s account or data).
Knowingly posting, transmitting, uploading, linking to, or sending any malware to New Relic or its employees.
Mass account creation for testing against New Relic applications and services.
"Brute force" testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
Disclosing information to the public before the issue has been resolved.
All vulnerabilities are rated according to New Relic 's internal vulnerability remediation process. This process takes into account the likelihood of the issue being discovered and the impact to New Relic and our customers if it was exploited.
Below are some examples of vulnerabilities we're interested in seeing, and common severity ratings for those issues. Note that the final severity rating may be higher or lower than what is listed here.
Critical severity bugs:
Remote code execution (RCE) on New Relic backend services
RCE on hosts via installed New Relic agents
RCE on host via Synthetics minion container escape
High severity bugs:
Authentication bypass
Access to sensitive data (e.g. Insights, Synthetics) from other New Relic accounts
SQL injection with demonstrated security impact
Stored cross-site scripting (XSS) on that is likely to affect other users (except for frame-rpm.newrelic.com)
Flaws that could be used to exploit 3rd-party integration services
Unauthorized configuration changes to installed New Relic agents
Access to privileged functionality or data on the Docker host or internal network via Node sandbox escape to the Synthetics minion container
Takeover of newrelic.com subdomains with arbitrary HTML and JavaScript
Medium severity bugs:
Cross-site scripting (XSS) (except for frame-rpm.newrelic.com)
Cross-site request forgery (CSRF/XSRF) of a non-idempotent (AKA state-changing) request
Clickjacking on authenticated pages with sensitive state changes
Default New Relic agents collecting and sending undocumented confidential data to New Relic
Confidential data disclosure with security impact
Low severity bugs:
Mixed content scripts (scripts loaded over HTTP on an HTTPS page)
Information disclosure with security impact
Enumeration of data (Other than account or user ID)
Host header spoofing
Security issues resulting from New Relic agent configuration
Authorization flaws/Access Control Bypasses (e.g. a Standard user accessing secure credentials)
Out of scope issues (not eligible for a reward):
Open redirect to localhost
Open redirect without security impact
CSRF/XSRF on unauthenticated pages (Login Page) or logout
Lack of rate limiting on a particular API or other 'load testing' types of issues
Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags
Denial-of-service vulnerabilities
Stack traces
Application or server error messages
Use of out-of-date 3rd-party libraries without proof of exploitability
Vulnerabilities in 3rd-party scripts used on New Relic websites
Leaking information via the Referer header
Missing X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, or X-XSS-Protection HTTP headers
SPF, DMARC or other email configuration related issues
Password or account recovery policies, such as reset link expiration or password complexity
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Version number/banner disclosure on public facing websites
Disclosure of known public files or directories, (e.g. robots.txt)
Lack of DNSSEC
SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
HTTP TRACE or OPTIONS methods enabled
Clickjacking on pages without authentication and/or sensitive state changes
Vulnerabilities only affecting end of life browsers or platforms
Self-XSS and issues exploitable only through Self-XSS
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Content spoofing/text injection
Information disclosure via /status or /metrics URLs without security impact
Bugs requiring exceedingly unlikely user interaction
Exploits that require physical access to a user's machine
Vulnerabilities resulting from Synthetics private minions that have out-of-date or vulnerable packages
Reports concerning agents with outdated packages with security vulnerabilities should be accompanied by an example showing how they'd be leveraged within the agent
Attacks requiring a Man-in-the-Middle, with no other possible exploitation
WordPress username enumeration
Confirmation that an account exists for a specific email address
Issues concerning the original user model (including access control bypasses for Restricted users)
Access control bypasses for Basic users in the New Relic One user model for features limited to Full users; Basic users can become Full users at any time, therefore this isn't considered a security barrier
Node sandbox escape to the Synthetics minion container (barring privileged access, see High above)
Unregistered domains or social media accounts linked from our landing pages
API keys for inactive or test accounts created by employees (i.e. API keys where there is no security impact from their disclosure) will be accepted, triaged, and resolved, but no bounty will be paid
Wait at least 10 minutes after logging out or changing passwords before reporting session fixation/termination issues
Wait at least an hour before after clicking email verification links before reporting issues
Agent vulnerabilities stemming from insecure relative paths on a host system
XSS issues concerning frame-rpm.newrelic.com
Customer feedback submission forms (feedback.service.newrelic.com)
Thank you for helping keep New Relic and our users secure!
| Scope Type | Scope Name |
|---|---|
| android_application | com.newrelic.rpm |
| android_application | Android agent |
| application | Infrastructure agents |
| application | Go agent |
| application | Node.js agent |
| application | Ruby agent |
| application | Unity agent |
| application | PHP agent |
| application | .NET agent |
| application | .NET Core agent |
| application | Java agent |
| application | Python agent |
| application | Browser agent |
| ios_application | com.newrelic.NRApp |
| ios_application | iOS agent |
| other | Synthetics minions (public and private) |
| other | Agent traffic |
| web_application | *.infrastructure.newrelic.com |
| web_application | blog.newrelic.com |
| web_application | docs.newrelic.com |
| web_application | support.newrelic.com |
| web_application | developer.newrelic.com |
| web_application | rpm.eu.newrelic.com/accounts/*/browser |
| web_application | *.eu.newrelic.com |
| web_application | alerts.eu.newrelic.com |
| web_application | rpm.eu.newrelic.com/accounts/*/mobile |
| web_application | synthetics.eu.newrelic.com |
| web_application | infrastructure.eu.newrelic.com |
| web_application | insights.eu.newrelic.com |
| web_application | learn.newrelic.com |
| web_application | *.blog.newrelic.com |
| web_application | *.infrastructure-data.newrelic.com |
| web_application | infrastructure.newrelic.com |
| web_application | insights.newrelic.com |
| web_application | rpm.newrelic.com |
| web_application | discuss.newrelic.com |
| web_application | one.newrelic.com |
| web_application | login.newrelic.com |
| web_application | alerts.newrelic.com |
| web_application | *.newrelic.com |
| web_application | synthetics.newrelic.com |
| web_application | rpm.newrelic.com/accounts/*/mobile |
| web_application | rpm.newrelic.com/accounts/*/browser |
| web_application | *.nr-data.net |
| web_application | *.nr-ops.net |
| Scope Type | Scope Name |
|---|---|
| web_application | newrelic.zendesk.com |
| web_application | status.newrelic.com |
| web_application | ir.newrelic.com |
| web_application | try.newrelic.com |
| web_application | t.newrelic.com |
The progam has been crawled by Firebounty on 2018-04-23 and updated on 2020-02-12, 264 reports have been received so far.
FireBounty © 2015-2024
