Acronis looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Rules for us
- We respect the time and effort of our researchers
- We will respond within 5 business days
- We will process reports within 10 business days
- We will determine bounty amount within 10 business days after triage
- We will do our best to keep you informed about our progress throughout the process
Rules for you
- Be an ethical hacker and respect other users' privacy
- Register accounts using your [username][email protected] addresses
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
- If you do any automated scanning against Web resources and API-s make sure to place your @wearehackerone email into User-Agent header
- Automated scanning tools must be limited to 5 requests per second to one target host summing up all tools and threads running in parallel
- We kindly ask researchers to avoid testing on production systems whenever possible
Violation of these rules might result in ineligibility for a bounty or permanent ban
- Social engineering (e.g. phishing, vishing, smishing) is prohibited
- Only interact with accounts you own or with the explicit permission of the account holder
- If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Acronis and may not be retained
- Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Acronis or other users' accounts or data or post-exploitation of other vulnerabilities. Stop, report what you have found and request additional testing permission
- Use the following commands to demonstrate command execution vulnerabilities
| Non-root | Root |
|---|
id | id |
cat /etc/hosts | cat /proc/1/maps |
touch ~/[your H1 username] | touch /root/[your H1 username] |
Recommendations
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
- Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted
- If you are submitting DLL files as part of your exploit, be sure to include the source code for them as well. Doing so helps us verify your proof of concept more accurately and quickly
Quickstart Guide
- Acronis Cyber Protect Cloud documentation is available at developer.acronis.com
- You can find quickstart guides and more information about Acronis products and services at care.acronis.com
- Note that some vulnerabilities may already be fixed in the beta versions (check assets description)
Rewards
- When duplicates occur, we only award the first report that we receive
- If a vulnerability is fixed in the beta version we will consider it as duplicate
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
Public Disclosure
- Follow HackerOne's disclosure guidelines
- No vulnerability disclosure is allowed without express consent from Acronis. This rule applies to any vulnerability details as well as information obtained during exploitation even for resolved issues
- We may request up to 180 days of additional time after disclosure request or report resolution to remediate the issue. This time is usually required to distribute the fixed version among our customers
- Besides disclosing reports on HackerOne, we also publish details about discovered vulnerabilities and corresponding security updates in Acronis Advisory Database
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Contact Us
If you have a technical issue or a question related to Acronis bug bounty program, feel free to reach out to us at [email protected].
Thank you for helping keep Acronis and our users safe!
