Details

Algolia is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

DO NOT use automated scanning tools

Scope

Website related endpoints on www.algolia.com or dashboard.algolia.com
API related endpoints on *.algolia.net or *.algolianet.com

Bounty

Minimum reward is $100 for security vulnerabilities. The reward depends on the vulnerability severity and will be paid via HackerOne only. Every researcher with accepted vulnerability will be mentioned on http://hackerone.com/algolia/thanks Issues without security impact are not eligible for a bounty, yet still welcomed and will be treated like any other report.

Eligibility

You must be the first reporter of the vulnerability.
You follow https://hackerone.com/disclosure-guidelines
You do not access data of other users and solely use your created accounts.
You may not publicly disclose the vulnerability prior to our resolution.
You are not an individual on, or residing in any country on, any U.S. sanctions lists.
You provide a working proof of concept that exploits the security issue

Exclusion

Login/Logout CSRF
DDoS
Social engineering on customers or employees of Algolia
Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)
Miss of rate limits
Report from automated tools and scans
Vulnerabilities sending spam or unauthorised messages
Bugs in 3rd party software
X-Frame-Options related
Customer's sites
Relating to HSTS
DNSSEC
Missing security headers which do not lead directly to a vulnerability
Physical attack on the infrastructure
Theoretical attacks
Breaking of SSL/TLS trust
Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Password and account recovery policies, such as reset link expiration or password complexity
Vulnerabilities without solution on our side (HEIST, ...)
Outdated DNS record pointing to system which does not belong to Algolia
Any DNS record outdated for less than 48 hours
Broken links

Bounty

Eligibility

You must be the first reporter of the vulnerability.

You follow https://hackerone.com/disclosure-guidelines

You do not access data of other users and solely use your created accounts.

You may not publicly disclose the vulnerability prior to our resolution.

You are not an individual on, or residing in any country on, any U.S. sanctions lists.

You provide a working proof of concept that exploits the security issue

Exclusion

DDoS

Social engineering on customers or employees of Algolia

Self-XSS (we require evidence on how the XSS can be used to attack another Algolia user)

Miss of rate limits

Report from automated tools and scans

Vulnerabilities sending spam or unauthorised messages

Bugs in 3rd party software

X-Frame-Options related

Customer's sites

Relating to HSTS

DNSSEC

Missing security headers which do not lead directly to a vulnerability

Physical attack on the infrastructure

Theoretical attacks

Breaking of SSL/TLS trust

Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)

Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

Password and account recovery policies, such as reset link expiration or password complexity

Vulnerabilities without solution on our side (HEIST, ...)

Outdated DNS record pointing to system which does not belong to Algolia

Any DNS record outdated for less than 48 hours

Broken links