Adversarial supports ethical cybersecurity research and is committed to learning about any discovered potential security weaknesses as rapidly as possible. To that end, the following scope guides testing and reporting activity for invited researchers seeking to engage with the company. Once invited, it is recommended to browse adversarial.com and learn about the platform and purpose for the sake of constructing test scenarios that will have business relevance and value. Without an explicit invitation via email from adversarial.com, testing activity is prohibited and not covered by this Scope.
2024-04-24 With our initial run of bounty testing, we are limiting paid bounties per researcher to $5000 for the first wave of testing. At $5000 cumulative bounties collected, we will pause activity to allow us to catch up on remedial action, at which point we will re-enable the program and raise the limit. We do not expect to run into this issue, but want to protect ourselves from a huge expenditure at this important initial launch.
Reports should include a working proof of concept (POC), commonly exhibited via screen shots, video, or similar substantiation.
Reports should be made promptly to alert our team as quickly as possible after a vulnerability is detected.
Submissions of the same finding by multiple researchers or reports will reward only the first submission.
Discovery of findings in nonproduction/staging, production, or other environments of the same code base will count as a single finding with severity based on the most sensitive environment where it is present. While testing is limited to non-production environments (.dev) they will be awarded as if in production.
The discovery of a finding on multiple assets will be bundled into a single finding where the same remediation activity will be relevant (e.g. needing to patch the same library).
You grant Adversarial and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
By reporting a finding, you allow our bounty platform to share relevant tax information as appropriate to allow Adversarial to perform any needed compliance checks.
Third-party bugs: A finding related to third-party code will be validated only if it can lead to exploitation of our assets, but we reserve the right (but not obligation) to notify the third-party.
When conducting vulnerability research according to the US Department of Justice definition of Good Faith Security Research below, we will consider this activity authorized and exempt from copyright, Terms & Conditions, or similar restrictions that might otherwise be construed to prohibit such activity.
Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. US Department of Justice PR 22-533
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us for clarification before proceeding.
Denial of Service (DoS): Where a potential denial of service vulnerability is suspected, a request can be submitted for authorization to prove the attack in a non-production environment. We reserve the right to decide whether provision of such an environment is warranted and may dismiss the request or accept it as proven without additional testing if our research leads to such a conclusion.
Data Exfiltration: Where sensitive data is suspected to be accessible, pause and request authorization to sample or otherwise query the data.
Lateral Movement: Where a remote shell or similar access has been gained without authorization, pause and request authorization before attempting to penetrate additional assets laterally.
Data Modification: Where the ability to deface web material, alter data, or otherwise harm data integrity is suspected, pause and request approval to make specific comments in specific locations as a proof of concept before moving further.
Transactions: Where the ability to initiate financial, data, or other platform transactions is suspected, pause and request approval before initiating further activity.
Communication: Where the ability to lure legitimate users or customers into taking an action that may prove a vulnerability is likely or suspected, pause and request explicit authorization for the action and target audience before proceeding further. Such actions may include generating fraudulent phishing messages, injecting code that may be executed client-side by authorized users, or generating instructions that may lead to compromise.
Resource Provision: Where it is suspected that paid cloud computing or similar workloads or resources could be provisioned without authorization, pause and request permission before creating such an instance.
Login: Where potential customer credentials are suspected to be disclosed, do not log in using those credentials. A request may be made for validation and permission to proceed, in which case we will reserve discretion to consider allocating a clone account for additional testing if credentials are confirmed valid.
No action should be taken that is likely or suspected to be disruptive or to perform any denial of service of the platform in production or testing environments.
No action should be taken that is likely or suspected to generate alerts or other messages to legitimate platform users or customers.
Social engineering including phishing, the generation of spam, or the generation of fraudulent transactions or activity are prohibited.
Physical reconnaissance, intrusion, eavesdropping, or social engineering is prohibited.
The retrieval or storage of Strictly Confidential* data including personally identifiable information, customer data, credentials, or similar is prohibited with the following exception: where the retrieval of such data is suspected to be possible, retrieve 10% or 10 rows (whichever is less) of data to evaluate content. Where confidential data is confirmed, submit it securely to the platform and delete any copies created in the act.
Do not attack third-party Identity Providers (IDPs) enabled in the platform.
Vulnerabilities requiring deprecated browsers will not be accepted.
Lookalike domain, app, SMTP, or social media registrations are not qualified as vulnerabilities.
To participate in our program you should be at least 18 years of age and not have been a Adversarial employee, contractor, or family member thereof for the previous year.
You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
You are prohibited from participating in the program if doing so would put you in violation of any law or binding contractual agreement.
Adversarial maintains a payment structure for reported issues including the right to modify terms and payment amounts as needed. In general, the likelihood or potential of an issue to lead to a specific adversarial threat objective such as data theft, sabotage, extortion, or similar is highly considered in rating a vulnerability. This can be in contrast or in concert with CVSS scoring as the emphasis is on the ultimate action enabled and not the specific vulnerability identified.
Adversarial maintains sole discretion for the adjudication of any report, resulting severity, and associated payout.
P1 findings include the unauthorized access, modification, or destruction of Strictly Confidential* data, the ability to disrupt or alter systems or code, the ability to conduct fraudulent transactions, or the ability to repurpose resources for unauthorized activity - all toward the Threat Objectives of Data Disclosure or Customer Targeting.
Examples (see Rules of Engagement for requirements to pause):
The unauthorized access of Confidential* data, the ability to redirect unused resources associated with official domains or IP addresses to unauthorized systems or content, or the ability to gain administrative access to a company asset without further validation of P1 criteria. P2 also includes the ability to view random data that is intended to be protected, such as memory stores, that could reasonably be assessed to ultimately reveal sensitive information if continuously queried.
Examples:
The ability to remotely execute code with no observable ability to chain data access or command & control, the ability to forge communications from the company to reasonably vigilant recipients, or the ability for an authorized user to bypass security protections intended for enforcement.
Examples:
Exploitations that depend on client-side compromise or are otherwise limited to self-inflicted damage.
Examples:
Information findings that cannot be demonstrated to directly lead to additional exploitation.
Examples:
Please follow the instructions at adversarial.com/security.txt to report findings. At the time of writing that amounts to an email submission to security@
Strictly Confidential data includes a subset of confidential data that requires explicit awareness and treatment to fulfill legal, regulatory, and/or contractual obligations or that has been explicitly classified as such by policy. Examples include access credentials, encryption keys, personally identifiable information (PII), protected healthcare information (PHI), credit card numbers, national identifiers, Board materials, attorney-client privileged communication, trade secrets, or detailed and identifiable transaction logs.Strictly Confidential data also includes threat, risk or incident register record details from customer entities that should not be accessible via the credential used (or lack thereof).
Confidential data includes any data produced or consumed in the course of business that is not explicitly declared for public distribution. Examples include directory listings, network diagrams, procedural guides, policies, runbooks, aggregated metadata, correspondence and messages, or performance metrics.Confidential data also includes platform templates and documents instantiated for customers with templated data. Aggregate graphs and reports created for customers without explicit threat, risk, or incident register details are also considered Confidential.
It is prohibited to publicly or privately disclose the contents of any submission, your findings, your communications with Adversarial related to submissions, or any non-public facts you have learned about Adversarial in the course of your participation to any third parties without Adversarial’s prior written approval.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
Copyright Adversarial Risk Management for authorized use.