#About Fastly Fastly helps people stay connected with the things they love. Fastly’s edge cloud platform enables customers to create great digital experiences quickly, securely, and reliably by processing, serving, and securing our customers’ applications as close to their end-users as possible — at the edge of the Internet. The platform is designed to take advantage of the modern internet, to be programmable, and to support agile software development. Fastly’s customers include many of the world’s most prominent companies, including Vimeo, Pinterest, The New York Times, and GitHub. We're building a more trustworthy Internet. Fastly looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

We're building a more trustworthy Internet.

Fastly looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Fastly Vulnerability Disclosure Program Terms

Your participation in the Fastly Vulnerability Disclosure Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).

Ground Rules

During security research, user privacy must be maintained and respected. Testing should be performed only on assets explicitly stated as in-scope for the vulnerability disclosure program. Testing must be performed in accordance with the Program Terms and Fastly’s Terms of Service. Testing should not degrade, damage, or destroy our systems - research which includes actions that result in denial of service is strictly prohibited. If a vulnerability is found, report it without any conditions attached. Any vulnerabilities found that are disclosed for purposes other than for fixing the issue will not qualify for a reward. Only interact with accounts you own or with explicit permission of the account holder. Fastly reserves the right to end the vulnerability disclosure program at any time.

• By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any third party. As this is a private program, do not discuss this program, a Submission, or any vulnerabilities (even resolved ones) outside of the program without express consent from Fastly.

Response Targets

Fastly will make a best effort to meet the following SLAs for security researchers participating in our program:

The following issues are what the Fastly team is most interested in seeing:

• Server Side Request Forgery (SSRF)
• Remote Code Execution (RCE)
• Ability to modify other customer accounts
• Ability to obtain sensitive information
• Stored Cross-Site Scripting (XSS) resulting in ability to obtain or modify customer data
• Reflected XSS resulting in ability to obtain or modify customer data

The following activities are prohibited:

• Denial of service or similar attacks which could cause system unavailability
• Social Engineering (including phishing attacks against Fastly employees)

The following issues are out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Submissions and Report Quality

Before beginning your report, ensure that the issue is in scope for this program and shows security impact.

Notes:

• We will not accept video-only proof of concepts.
• We will not accept reports containing only automated scan reports, such as BurpSuite output and nmap scan reports.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be accepted as one issue.

Only vulnerabilities that are verifiable and reproducible are considered in-scope. Reports should have the following qualities:

• A clear description of the attack scenario.
• A clear description of the vulnerability.
• A clear description of the steps to be able to reproduce the issue, and if it improves clarity of the report, include screenshots.
• A clear description and detail about your understanding of the security impact of the issue.
• Minimized test case.
• Demonstrate that the exploit is likely
• Report should be brief and well written with only necessary detail and commentary.
• Be responsive to questions from the engineers working to fix the bug.
• If available, adding a suggested patch will increase the clarity of the report.

Vulnerability Reports should avoid:

• Only a crash dump or stack trace without symbols
• Not having a Proof of Concept (PoC) or poor quality PoC (e.g. a large fuzz file dump with no attempt at reduction) that is later verified to be a legitimate issue.
• SSL/TLS scan reports, including output from sites like SSL Labs

Confidentiality

Any information you receive or collect about us, our services, our customers, our affiliates or any of our users, employees or agents in connection with the Vulnerability Disclosure Program (“Confidential Information”) must be kept confidential and only used in connection with the Vulnerability Disclosure Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.

Rights and Licenses

We may modify the Program Terms or cancel the Vulnerability Disclosure Program at any time in our sole discretion. By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission. By making a Submission, you give us the right to use your Submission and any materials submitted with your Submission for any purpose.

Safe Harbor

Fastly will not pursue legal action against any security researcher who complies with all of the Program Terms, and who also cooperates fully with Fastly's reasonable requests for assistance in reproducing a vulnerability.