March 20, 2020

March Policy Changes

Note: Verizon Media is now known as Yahoo.

phone with apps


We have a few updates to our policy that we think deserves some explanation.

Third Party Code

Bugs that reside in third party code are not eligible for bonuses of any kind.

It has come to our attention that we needed to add the above line into our policy. Sometimes in the course of testing, you come across a bug that looks like our code, but turns out to be someone else. Our Coordinated Vulnerability Disclosure policy requires that we share this information with the third party. If you have a bug in a third party, the information should go to the company that owns that code. Always.

Same bug, different host

Bonus - reduced to 5% per host

For each report, please allow Verizon Media sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report will now only receive an additional 5% bonus (per host, not domain). Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.

Social Media Account Takeover

A new asset has been defined Social Media Accounts where these kinds of reports can be submitted. Often, these bugs do not belong to the engineering teams who are responsible for product development and maintenance, so handing them these trust-related bugs doesn’t end in a successful experience for most of us involved.

Updated Rules of Submission

## Requirements

* Account in question has posted content within 365 days of report submission

* Account in question is related to a company, brand, or product

* Exposed (valid/functional/active) credentials that allow login to an account

## In Scope

* Bounty: **Must meet all** `Requirements` above

* Reputation: Meets at least one of the `Requirements` above

* Note: “Account in question” means the account you are reporting as “vulnerable.”

## Out of Scope

* Account in question is related to an individual (employee, freelancer or otherwise)

* Brute forcing account credentials

If you have any questions, remember you can reach out to us in the #verizonmedia channel on the Bug Bounty Forum slack workspace.

Happy Hacking,