Hack and Take the Cash !

717 bounties in database

Razer US




Policy



Razer looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Razer will make a best effort to respond to incoming reports within 3 business days and make a determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.

Eligibility & Disclosure Policy



* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
* Follow HackerOne's disclosure guidelines.
* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible.
* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
* When duplicates occur, we only recognize the first report that was received (provided that it can be fully reproduced).

Program Rules



* Social engineering (e.g. phishing, vishing, smishing) is prohibited.
* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope



For now, only the following properties are in scope. We are starting small and will scale up over time.

Razer homepage and store:

* www.razerzone.com
* www2.razerzone.com
* store.razerzone.com

Cortex platform:

* deals.razerzone.com

Authentication platform:

* ec.razerzone.com
* oauth2.razerzone.com
* razer-id.razerzone.com

zVault platform:

* zvault.razerzone.com
* akmedia.zvault.razerzone.com
* bill.zvault.razerzone.com
* ep.zvault.razerzone.com
* gw.zvault.razerzone.com
* media.zvault.razerzone.com
* tp.zvault.razerzone.com
* wa.zvault.razerzone.com
* zd.zvault.razerzone.com
* merchant.zvault.razerzone.com
* pay.zvault.razerzone.com

Content servers:

* dl.razerzone.com
* downloads.razerzone.com

Mobile servers:

* themes.razerzone.com
* mobileservices.razerzone.com

Software

* Synapse client
* Cortex client
* Razer Central client

Out-of-Scope



Anything that is not listed in the scope policy above is strictly out-of-scope, including other *.razerzone.com servers. This also includes third party sites that are the result of a redirection from Razer store, such as payment processing.

We will be expanding scope gradually.

Reporting issues



Please submit your security issue to Razer US via HackerOne (https://hackerone.com/razer_us). Please provide as much detail as you can (URLs, etc.) and the steps to reproduce the issue. We commit to responding to your report as soon as possible !

At this time, we are not awarding bounties or cash rewards for reported vulnerabilities. However, researchers will earn HackerOne reputation based on the merit of reported vulnerabilities, which may help qualify them for private bug bounty programs in the future.

Critical severity bugs:

Examples of issues that Razer would consider critical impact include:

* Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, data exfiltration, etc.
* Types of vulnerabilities that may result in these impacts include:
* Remote Code Execution
* Vertical Authentication bypass
* SQL Injection that leaks targeted data

High severity bugs:

Examples of issues that Razer would consider high impact include:

* Types of vulnerabilities that may result in these impacts include:
* Lateral authentication bypass
* Stored XSS (excluding unexploitable self-XSS)
* Local file inclusion
* Insecure handling of authentication cookies
* CSRF depending on impact

Medium severity bugs:

Examples of issues that Razer would consider medium impact include:

* Types of vulnerabilities that may result in these impacts include:
* Reflected XSS
* Insecure Direct Object References
* CSRF on sensitive actions and functions
* URL Redirect

Low severity bugs:

Examples of issues that Razer would consider low impact include:

* Types of vulnerabilities that may result in these impacts include:
* Rate limiting issues that have a demonstrable impact
* Leaks of less sensitive information that has a demonstrable impact
* Directory listings
* Information leaks

Out of scope vulnerabilities



When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

* Clickjacking on pages with no sensitive actions.
* Unauthenticated/logout/login CSRF.
* Attacks requiring MITM or physical access to a user's device.
* Previously known vulnerable libraries without a working Proof of Concept.
* Comma Separated Values (CSV) injection without demonstrating a vulnerability.
* Missing best practices in SSL/TLS configuration.
* Any activity that could lead to the disruption of our service (DoS).
* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
* Missing cookie flags
* SSL/TLS best practices
* Mixed content warnings
* Attacks requiring physical access to a user's device
* "HTTP Host Header" XSS (without proof of exploitability)
* Clickjacking/UI redressing without sensitive state actions occurring on the page
* Physical or social engineering attacks
* Results of automated tools or scanners
* Login/logout/unauthenticated/low-impact CSRF
* Presence of autocomplete attribute on web forms
* Use of a known-vulnerable library (without proof of exploitability)
* Descriptive/verbose/unique error pages (without proof of exploitability)
* Missing security-related HTTP headers which do not lead directly to a vulnerability

Thank you for helping keep and our users safe!


 

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2016