Details

Anduril Industries Bug Bounty Program

Introduction

Anduril Industries looks forward to working with the security community to find vulnerabilities and help keep our systems and mission partners safe.

Program Highlights

Open Scope: Rewards reports for all owned assets based on impact, even if not listed in scope
Fast Payment: Ensures payment within 1 month of receiving a vulnerability report
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor
Platform Standards: Fully compliant with Platform Standards
Top Response Efficiency: This program's response efficiency is above 90%

Response Times

Average time to first response: 10 hours
Average time to triage: 20 hours
Average time to bounty: 1 day, 3 hours
Average time from submission to bounty: 1 day, 23 hours
Average time to resolution: 1 week, 2 days

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are up to the discretion of Anduril Industries.

Severity	Bounty Range	Average Bounty
Low	$50–$500	$196
Medium	$500–$2,000	$874
High	$2,000–$7,500	$3,525
Critical	$7,500–$25,000	$10,000

Scope Exclusions

Core Ineligible Findings are out of scope.

Disclosure Policy

We currently don't disclose reports marked as Informative
Exceptional reports may be considered for disclosure on a case-by-case basis

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
Ask the program team before submitting vulnerabilities on unscoped subdomains
Only interact with accounts you own or with the explicit permission of the account holder
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report
When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Program Policy regarding disclosure timelines), the HackerOne Finder Terms and Conditions, HackerOne General Terms and Conditions and HackerOne Core Ineligible Findings
Do not exfiltrate any data under any circumstances
Do not compromise the privacy or safety of Anduril Industries personnel or any third parties
Do not intentionally compromise the intellectual property or commercial interests of any Anduril Industries personnel or entities, or any third parties
If at any point you are uncertain whether to continue testing, please engage with our team

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Legal

Anduril is unable to award a bounty to researchers who reside in a country that is subject to United States export sanctions or trade restrictions. Anduril Industries employees, contractors, service providers, vendors, and their family members are not eligible for bounties. Any testing involving physical approach to or proximal engagement with Anduril wireless networks, property, facilities, or personnel is strictly prohibited and may result in legal action. You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We won't apply any changes we make to these program terms retroactively.

Thank you for helping keep Anduril and our users safe!

Program Highlights

Open Scope: Rewards reports for all owned assets based on impact, even if not listed in scope

Fast Payment: Ensures payment within 1 month of receiving a vulnerability report

Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor

Platform Standards: Fully compliant with Platform Standards

Top Response Efficiency: This program's response efficiency is above 90%

Response Times

Average time to first response: 10 hours

Average time to triage: 20 hours

Average time to bounty: 1 day, 3 hours

Average time from submission to bounty: 1 day, 23 hours

Average time to resolution: 1 week, 2 days

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are up to the discretion of Anduril Industries.

Severity	Bounty Range	Average Bounty
Low	$50–$500	$196
Medium	$500–$2,000	$874
High	$2,000–$7,500	$3,525
Critical	$7,500–$25,000	$10,000

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)

Ask the program team before submitting vulnerabilities on unscoped subdomains

Only interact with accounts you own or with the explicit permission of the account holder

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report

When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Program Policy regarding disclosure timelines), the HackerOne Finder Terms and Conditions, HackerOne General Terms and Conditions and HackerOne Core Ineligible Findings

Do not exfiltrate any data under any circumstances

Do not compromise the privacy or safety of Anduril Industries personnel or any third parties

Do not intentionally compromise the intellectual property or commercial interests of any Anduril Industries personnel or entities, or any third parties

If at any point you are uncertain whether to continue testing, please engage with our team

Legal

Thank you for helping keep Anduril and our users safe!