Alibaba.com VDP Bug Bounty Program

Introduction

Alibaba.com VDP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Highlights

Open Scope — Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Program Management — Managed by HackerOne

• Average time to first response: 16 hours
• Average time to triage: 1 day, 1 hour

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Access

Researchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

Only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope.

Things to Note About the Scope

Honeypot System Warning — Most of our assets have a bypass honeypot system that detects all suspected attack behaviors and randomly spoofs them. There is a high possibility the "vulnerability" you find may be the result of a honeypot spoof. This includes: RCE, XXE, SQL Injection, SSRF, Arbitrary file reading, sensitive file/content leakage, and so on.

Alibaba Cloud External Customer IPs — If an IP belongs to Alibaba Cloud external customer, it's not in scope. If an IP's description contains 'Alicloud' or 'Aliyun' in the search result at http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to an external Alibaba Cloud customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. Unless you are absolutely sure that the IP is within the program scope, do not make any testing on it.

Login Page Vulnerabilities — Vulnerabilities in:

• .anydomain.com|cn/[/]login.htm
• .anydomain.com|cn/[/]mini[*]login.htm
• .anydomain.com|cn/[/]icbu[*]login.htm

or patterns like above URLs will be considered as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are considered as ONE valid report. Same vulnerabilities on different country sites are considered as ONE valid report.

Aliyuncs.com — Front-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.

RCE — RCE on non-production environment, such as a cloud server, will be no higher than High severity. RCE on test environment, such as testing webservers, demo sites, etc., will be no higher than Medium severity.

Stored XSS — Only stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to seller) can be High severity. All other kinds of stored XSS will be no higher than Medium severity.

Medium Severity Cap — The following type vulnerabilities severity will not be assessed higher than Medium severity:

• Reflected XSS
• Stored XSS that needs to visit certain URL or needs user interaction
• CSRF
• CORS
• JSONP Hijacking
• OAuth Hijacking
• Privilege Escalation
• Unused or abandoned subdomain takeover
• Arbitrary file upload that only leads to Stored XSS etc.

SSRF Vulnerability Assessment Guidelines — Alibaba has identified four main types of SSRF for its businesses:

1. SSRF on Production Network Services
2. Blind SSRF on Production Network Services
3. SSRF on Cloud Server
4. Blind SSRF on Cloud Server

Please note that the severity of SSRFs may range from low to critical.

Open Source Projects — Open source projects of Alibaba and Aliyun on Github are NOT in this program's scope.

Out of Scope Vulnerabilities

The following finding types are specifically excluded:

• Vulnerabilities affecting users of outdated browsers or platforms
• Account brute force
• Account takeover via CSRF/OAUTH etc.
• CRLF
• Self-XSS
• Flash-based XSS
• Tabnabbing
• Email Spoof
• Session fixation
• Cache Poisoning
• Content Spoofing
• Supply chain attack
• Credential Leakage
• Missing cookie flags
• Best practices/issues
• HTML content injection
• Mixed content warnings
• Clickjacking/UI redressing
• HTTPS/SSL/TLS Related Issues
• Physical or social engineering attacks
• Reflected file download attacks (RFD)
• Issues that require unlikely user interaction
• Login/logout/unauthenticated/low-impact CSRF
• Unverified Results of automated tools or scanners
• No SPF/DMARC in non-email domains/subdomains
• Attacks requiring MITM or physical access to a user's device
• Issues related to networking protocols or industry standards
• Carriage Return Line Feed injection without direct impact (CRLF)
• Error information disclosure that cannot be used to make a direct attack
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Reports of credentials exposed by other data breaches / known credential lists

---