F. Hoffmann-La Roche Ltd.

We are currently running an invite-only bug-bounty program at HackerOne. If you would like to be invited, we kindly ask you to submit one issue with high severity as we define it (see below) with a working POC that is in scope for our program. If you have such an issue, please contact us via email.

High Severity Issues

• SQL Injection (SQLi)
• Code or OS Command Injection
• Authentication bypass without user interaction
• Remote Code Execution (RCE)
• Access that leads to Patient, research, or financial data, such as misconfigured github, cloud buckets, mobile apps, etc.

Out of Scope Issues

• Client Side Request Forgery CSRF
• Reflected XSS
• Gaining read-access to already accessible data
• Anything requiring user interaction
• Missing headers, cookie flags, outdated SSL/TLS protocols/ciphers
• Adobe Experience Manager (AEM) findings produced by aem_scanner.py, except RCE's with a POC
• Denial of Service (DoS) or any form of resource exhaustion
• Open Redirect
• Web cache poisoning
• Social media account takeover and Subdomain Takeover/Hijack
• Aura Salesforce issues of non production sites, like sandbox, dev,qa, sit, test ..

Out of Scope Domains, Properties, and Platforms

• Chugai Pharmaceuticals websites, mobile apps, etc.
• Roche-produced hardware (Cobas, AccuChek, CoaguChek)
• Roche-produced software not deployed in Roche IP space (e.g. Ventana Virtuoso)

Safe Harbor

The Gold Standard Safe Harbor applies.