Note: Verizon Media is now known as Yahoo.
The EdgeCast Customer and Partners portals are now part of the Oath private bug bounty program. Testing accounts will need to be specially created for each participant and we have a limited number each week, so get your request in early! When writing reports against these portals, please make sure to correctly tag your report with the
EdgeCast - Partners (VDMS) or EdgeCast - Customers (VDMS) asset. Read on below for more details about how these assets expand the Oath bug bounty program.
Verizon Digital Media Services' EdgeCast Content Delivery Network has a capacity of 50+ Tbps and 125 points of presence (PoPs) spanning 56 countries across six continents. A network connected with over 3,000 carriers and ISPs, we not only strive to be the fastest and most reliable Content Distribution Network (CDN), but also the most secure.
Our CDN partners configure their accounts and manage their own customers using either the Partner Control Center (PCC) or API. This is where we ask you to help us ensure that our partners' account settings and data are safe and secure.
Testing On Production
The Oath EdgeCast program is testing a production environment. Please take this into consideration when testing and do not perform tests that may impact system infrastructure or architecture.
- Automated scanning tools are not permitted.
- DO NOT target EdgeCast customers.
- DO NOT attempt to access, control, or manipulate any EdgeCast partner or customer account or instance that you do not expressly own (i.e. interacting with customer data, accounts, or credentials).
- DO NOT use, disclose, or distribute any confidential information, including, but not limited to, any information regarding your submissions.
- DO NOT not disclose your findings or the contents of your Submissions in ANY capacity outside of the Oath bug bounty program.
- Any information you receive or collect on EdgeCast or its customers while testing on the Oath bug bounty program MUST be kept confidential and used ONLY within the context of this program.
Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.
There are a number of notable known issues on this product that should not be reported (and are not eligible for bounty), to prevent duplicates, some of the most visible ones include:
- An attacker can access a feature/endpoint that he or she does not have access to if the URL is known. The root cause is an Insecure Direct Object Reference (IDOR) issue.
- The application lacks an anti-CSRF token implementation and is susceptible to CSRF.
The EdgeCast software requires additional credentials that must be created per researcher to facilitate testing.
- For the EdgeCast Partners portal: Researchers will be provided two (2) user accounts under two (2) separate customer organizations. CustomerA & CustomerB ... for a total of 2 researcher accounts.
- For the EdgeCast Customers portal: Researchers will be provided two user accounts under two separate customers.
While testing for cross-account and cross-organization vulnerabilities, you may target ONLY target the 2 accounts that you own.
To request accounts, you may contact email@example.com. Accounts will be created on a first-come-first-serve basis with a limited number created per week.
After accepting the invitation, in order to reset your user account password, navigate to the EdgeCast Partners Control Center and select "Forgot Password". Input each of your (2) assigned credential email addresses to receive a password reset link. You can find these emails at the bottom of this brief.
API documentation can be found by clicking on the "Support" link within the EdgeCast Partners application (you must be authenticated within the application). Focus on the "Partner Control Center Docs" section.