Details

The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.

Elastic's bounty structure falls under two umbrellas: Product Vulnerabilities & Other. While we accept vulnerabilities on any assets that we own/control, we are particularly interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.

##PRODUCT BUG BOUNTY AMOUNTS

We are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!

Our code is open so use that to your advantage!

What we're interested in

Attacks that lead to compromise of Elastic user data
Widespread compromise of Elastic user accounts
Remote code execution on systems and applications
Access to administrator/superuser accounts
Arbitrary access to a user’s sensitive data/functionality
Kibana XSS and CSRF
Access to underlying containers
Access to unauthorized data as authenticated user
Privilege escalation as authenticated user to non superuser
Authenticated SSRF

#Expectations

If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.
Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.

#Disclosure

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

##Out of scope When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:

Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.
Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability.
Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases
Application-level Denial of Service attacks against Swiftype
Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Lack of Rate limiting or bruteforce issues
Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing
Issues that require unlikely user interaction
Open Redirects that are not chained into a more impactful vulnerability
Broken links in documentation
Issues where an attacker gets access to paid features for free or at a discount
Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.

Stipulations

To be eligible for the Bug Bounty Program, you must not:

Be employed by Elastic or any subsidiary;
Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than 6 months ago.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Elastic and our users safe!

What we're interested in

Attacks that lead to compromise of Elastic user data

Widespread compromise of Elastic user accounts

Remote code execution on systems and applications

Access to administrator/superuser accounts

Arbitrary access to a user’s sensitive data/functionality

Kibana XSS and CSRF

Access to underlying containers

Access to unauthorized data as authenticated user

Privilege escalation as authenticated user to non superuser

Authenticated SSRF

#Expectations

If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.

Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.

#Disclosure

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Follow HackerOne's disclosure guidelines.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

##Out of scope When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:

Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.

Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability.

Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases

Application-level Denial of Service attacks against Swiftype

Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.

Clickjacking on pages with no sensitive actions

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Lack of Rate limiting or bruteforce issues

Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Tabnabbing

Issues that require unlikely user interaction

Open Redirects that are not chained into a more impactful vulnerability

Broken links in documentation

Issues where an attacker gets access to paid features for free or at a discount

Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.

Safe Harbor

Thank you for helping keep Elastic and our users safe!