We are currently running an invite-only bug-bounty program at HackerOne. If you would like to be invited, we kindly ask you to submit one issue with high severity as we define it (see below) with a working POC that is in scope for our program. If you have such an issue, please contact us via email.
High Severity Issues
- SQL Injection (SQLi)
- Code or OS Command Injection
- Authentication bypass without user interaction
- Remote Code Execution (RCE)
- Access that leads to Patient, research, or financial data, such as misconfigured github, cloud buckets, mobile apps, etc.
Out of Scope Issues
- Client Side Request Forgery CSRF
- Reflected XSS
- Gaining read-access to already accessible data
- Anything requiring user interaction
- Missing headers, cookie flags, outdated SSL/TLS protocols/ciphers
- Adobe Experience Manager (AEM) findings produced by aem_scanner.py, except RCE's with a POC
- Denial of Service (DoS) or any form of resource exhaustion
- Open Redirect
- Web cache poisoning
- Social media account takeover and Subdomain Takeover/Hijack
- Aura Salesforce issues of non production sites, like sandbox, dev,qa, sit, test ..
Out of Scope Domains, Properties, and Platforms
- Chugai Pharmaceuticals websites, mobile apps, etc.
- Roche-produced hardware (Cobas, AccuChek, CoaguChek)
- Roche-produced software not deployed in Roche IP space (e.g. Ventana Virtuoso)
Safe Harbor
The Gold Standard Safe Harbor applies.
