We have a few updates to our policy that we think deserves some explanation.
Bugs that reside in third party code are not eligible for bonuses of any kind.
It has come to our attention that we needed to add the above line into our policy. Sometimes in the course of testing, you come across a bug that looks like our code, but turns out to be someone else. Our Coordinated Vulnerability Disclosure policy requires that we share this information with the third party. If you have a bug in a third party, the information should go to the company that owns that code. Always.
Bonus - reduced to 5% per host
For each report, please allow Verizon Media sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a
triagedstate, file it within the existing report will now only receive an additional 5% bonus (per host, not domain). Any reports filed separately while we are actively working to resolve the issue will be treated as a
A new asset has been defined
Social Media Accounts where these kinds of reports can be submitted. Often, these bugs do not belong to the engineering teams who are responsible for product development and maintenance, so handing them these trust-related bugs doesn’t end in a successful experience for most of us involved.
Updated Rules of Submission
## Requirements * Account in question has posted content within 365 days of report submission * Account in question is related to a company, brand, or product * Exposed (valid/functional/active) credentials that allow login to an account ## In Scope * Bounty: **Must meet all** `Requirements` above * Reputation: Meets at least one of the `Requirements` above * Note: “Account in question” means the account you are reporting as “vulnerable.” ## Out of Scope * Account in question is related to an individual (employee, freelancer or otherwise) * Brute forcing account credentials