Details

BrightSpeed looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

BrightSpeed will make a best effort to meet the following response targets for hackers participating in our program:

Type of Response	Target in business days
First Response	2 days
Time to Triage	2 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

#Guidelines The Program applies to security vulnerabilities found within Brightspeed’s Environment, which includes, but is not limited to, Brightspeed’s websites, exposed APIs, mobile applications, and devices. A security vulnerability is generally an error, flaw, mistake, failure, or fault in a computer program or system that impacts the security of a device, system, network, or data. Because Brightspeed is an ISP, it can be difficult to distinguish between Brightspeed owned addresses and our public IP addresses that we have allocated to customers. Though we develop and maintain other internet-accessible systems and services, we ask that active research and testing only be conducted on Brightspeed systems.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Configuration of or missing security headers.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing
Issues that require unlikely user interaction
Improper logout functionality and improper session timeout.
CORS misconfiguration without an exploitation scenario
Broken link hijacking
Lack of jailbreak detection in mobile apps.
Lack of SSL Pinning
Attacks against Brightspeed infrastructure;
Social engineering and physical attacks;
Distributed Denial of Service attacks that require large volumes of data;
0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty;
Provisioning and/or usability issues;
Violations of licenses or other restrictions applicable to any vendor's product;
Security vulnerabilities in third-party products or websites that are not under Brightspeed’s direct control
Clickjacking reports against unauthenticated pages and/or static content resources;
Reports of missing SPF records for domains with no MX record;
Vulnerabilities that are a result of malware;
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, or
Issues determined to be low impact.
Vulnerabilities which require a social engineering component are excluded. i.e. presenting injected data to a user and expecting the user to click on an external link to complete the compromise
Login/logout CSRF
Content spoofing which depends on a social engineering element to succeed (such as an error page suggesting that a user take an action) is excluded
Abandoned CNAME records require a social engineering component to successfully exploit, they are excluded unless there is an existing link from a company resource to the invalid CNAME
Duplicate reports of security issues, including security issues that have already been identified internally;
Issues determined to be low impact.
Security vulnerabilities in Brightspeed customer’s IP addresses and/or systems

In addition, the submitter:

Must not be the author of the code with the vulnerability or
Must not be employed by Brightspeed directly or indirectly.

Do not engage in any of the following activities:

Accessing, downloading, or modifying data residing in any system or account that does not belong to you
Executing or attempting to execute any “Denial of Service” attack
Executing or attempting to execute any social engineering attacks
Posting, transmitting, uploading, linking to, sending, or storing any malicious software
Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
Testing in a manner that would damage or degrade the operation of any Brightspeed systems
Testing third-party applications, websites, or services that integrate with or link to Brightspeed systems
Testing that may violate any applicable law or impact the security or integrity of any personal or confidential information

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Brightspeed and our users safe!

Response Targets

BrightSpeed will make a best effort to meet the following response targets for hackers participating in our program:

Type of Response	Target in business days
First Response	2 days
Time to Triage	2 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Rate limiting or bruteforce issues on non-authentication endpoints

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Configuration of or missing security headers.

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Tabnabbing

Issues that require unlikely user interaction

Improper logout functionality and improper session timeout.

CORS misconfiguration without an exploitation scenario

Broken link hijacking

Lack of jailbreak detection in mobile apps.

Lack of SSL Pinning

Attacks against Brightspeed infrastructure;

Social engineering and physical attacks;

Distributed Denial of Service attacks that require large volumes of data;

0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty;

Provisioning and/or usability issues;

Violations of licenses or other restrictions applicable to any vendor's product;

Security vulnerabilities in third-party products or websites that are not under Brightspeed’s direct control

Clickjacking reports against unauthenticated pages and/or static content resources;

Reports of missing SPF records for domains with no MX record;

Vulnerabilities that are a result of malware;

Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, or

Issues determined to be low impact.

Vulnerabilities which require a social engineering component are excluded. i.e. presenting injected data to a user and expecting the user to click on an external link to complete the compromise

Content spoofing which depends on a social engineering element to succeed (such as an error page suggesting that a user take an action) is excluded

Abandoned CNAME records require a social engineering component to successfully exploit, they are excluded unless there is an existing link from a company resource to the invalid CNAME

Duplicate reports of security issues, including security issues that have already been identified internally;

Issues determined to be low impact.

Security vulnerabilities in Brightspeed customer’s IP addresses and/or systems

In addition, the submitter:

Must not be the author of the code with the vulnerability or

Must not be employed by Brightspeed directly or indirectly.

Do not engage in any of the following activities:

Accessing, downloading, or modifying data residing in any system or account that does not belong to you

Executing or attempting to execute any “Denial of Service” attack

Executing or attempting to execute any social engineering attacks

Posting, transmitting, uploading, linking to, sending, or storing any malicious software

Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages

Testing in a manner that would damage or degrade the operation of any Brightspeed systems

Testing third-party applications, websites, or services that integrate with or link to Brightspeed systems

Testing that may violate any applicable law or impact the security or integrity of any personal or confidential information

Safe Harbor

Thank you for helping keep Brightspeed and our users safe!