Introduction
Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $300 or more for critical vulnerabilities.
Below you can find information about the rules, scope and reporting requirements.
Happy hacking!
Before you start
- Check the list of domains that are in scope for the Security Bug Bounty Program and the list of targets for useful information for getting started. All Wallarm application testing should be performed on dedicated application instance https://audit.my.wallarm.com/.
- Check the list of bugs that have been classified as ineligible. Submissions which are ineligible will likely be closed as Not Applicable.
- Check the Wallarm Changelog for recently launched features.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, contact us at security@wallarm.com.
By participating in Wallarm's Security Bug Bounty Program (the "Program"), you acknowledge that you have read and agree to Wallarm's Terms of Service as well as the following:
- You're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.
- You're not currently a Wallarm employee or contractor, were not a Wallarm employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
- Wallarm reserves the right to terminate or discontinue the Program at its discretion.
- Only test for vulnerabilities on sites you know to be operated by Wallarm and are in-scope of the Program. Some sites hosted on subdomains of wallarm.com are operated by third parties and should not be tested.
Legal safe harbor
Your research is covered by the Wallarm Security Bug Bounty Program Legal Safe Harbor policy. In summary:
- We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this Security Bug Bounty Program's scope.
- We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
- Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.
- If your security research as part of the Program violates certain restrictions in our service policies, the safe harbor terms permit a limited exemption.
Performing your research
Do not impact other users with your testing, this includes testing vulnerabilities in accounts and users you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
The following are never allowed and are ineligible for reward. We may suspend your Wallarm account and ban your IP address for:
- Performing distributed denial of service (DDoS) or other volumetric attacks.
- Spamming content.
- Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic. Note: We do allow the use of automated tools as long as they do not produce excessive amounts of traffic. For example, running one Nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.
Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:
- Research must be performed in Wallarm organization and user accounts you own
- Stop immediately if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability - Wallarm's security team will be able to determine the impact.
- There are no limits for researching denial of service vulnerabilities against your own private instance of Wallarm Cloud.
Handling personally identifiable information (PII)
Personally identifying information (PII) includes:
- legal and/or full names
- names or usernames combined with other identifiers like phone numbers or email addresses
- health or financial information (including insurance information, social security numbers, etc.)
- information about political or religious affiliations
- information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
Also:
- Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.
- Report the vulnerability immediately and do not attempt to access any other data. The Wallarm Security team will assess the scope and impact of the PII exposure.
- Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned.
- You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.
- We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.
Reporting your vulnerability
- Send your reports to security@wallarm.com. Please don’t send information to any other channel such as other emails, chat, support, etc - these requests won’t be entertained and might disqualify you from the program.
- Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.
- For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
- Do not publicly disclose your submission until Wallarm has evaluated the impact.
The scope of the Program
Wallarm runs a number of services but only submissions under the following domains are eligible for rewards. Any Wallarm-owned domains not listed below are not in-scope, not eligible for rewards and not covered by our legal safe harbor:
- audit.my.wallarm.com
- apiconsole.audit.wallarm.com
- audit.api.wallarm.com
The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.
The following resources are outside of the scope of the Program:
- my.wallarm.com
- api.wallarm.com
- *.eu1.wallarm.com
- us1.my.wallarm.com
- us1.api.wallarm.com
- *.us1.wallarm.com
- wallarm.com
- www.wallarm.com
- lab.wallarm.com
- status.wallarm.com
- changelog.wallarm.com
- docs.wallarm.com
- docs.fast.wallarm.com
- *.demo.wallarm.com
Please do not report about the following issues:
- Excel CSV formula injection, scripting within PDF documents
- Reports based on product/protocol version without demonstration of real vulnerability presence
- Theoretical attacks without proof of exploitability
- Missing/incorrect DNSSEC, SPF, DKIM or DMARC records
- Reports of missed protection mechanism / best practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
- Username/email existence/enumeration vulnerabilities
- Missing sensitive security headers
- Self-signed SSL certificates on any Wallarm IP addresses
- Atlassian Jira Service Management self-service portal open for user registration (it is used by Wallarm customers)
- Issues related to deprecated web browsers and/or systems
- Vulnerabilities in product versions no longer under active support
- Lack of password length restrictions or complexity requirements
- Just showing that a page can be iframed without provide clickjacking impact.
- Insecure cookie settings for non-sensitive cookies
- Reports from automated tools or services (without accompanying demonstration of exploitability)
- Text-only injection in error pages
- Automatic hyperlink construction by 3rd party email providers
- Using email mutations to create multiple accounts for a single email
Receiving your award
All reward amounts are determined by our severity guidelines:
- Critical: Vulnerabilities that we think violate our fundamental security of the Wallarm Service (for example, the escalation of privilege from unauthenticated to administrators, privileged remote code execution, access to customer data) will be considered P1 and typically eligible for a minimum of $300.
- Minimum: Any vulnerability that we fix in response to a submission via our program will be eligible for a minimum of $20.
Also:
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Bounty payments, if any, will be determined by Wallarm in Wallarm’s sole discretion. In no event shall Wallarm be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.
Thank you for helping keep Wallarm and our users safe!