Harman International Lifestyle Products & Services

Reward

BountyHall of fame

$100 Low $300 Medium $1,000 High $2,500 Critical $4,000

Program

Avg reward -

Max reward -

Scopes25

Supported languagesEnglishGermanHindi

Hacktivity

Reports179

1st response < 1 day

Reports last 24h-

Reports last week2

Reports this month2

Program description

Program activity

Harman International

Keeping user information safe and secure is a top priority and a core company value for us at Harman (“We”, “Us” or “Harman”).

We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Harman customers.

In addition to the YesWeHack General Terms of Use for “Hunter” and any other applicable YesWeHack terms and conditions, these Bug Bounty Program Terms and Conditions (“Program Terms”) govern the participation of any Hunter (“You”, or “Hunter”) in the Harman Bug Bounty Program.

In the event of a conflict between these Program Terms and any other agreement or terms, these Program Terms shall control.

Program Rules

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on Harman International applications, servers, networks or infrastructure are strictly forbidden.

• Avoid tests that could cause degradation or interruption of our services.

• Do not use automated scanners or tools that generate large amount of network traffic

• Do not leak, copy, manipulate, or destroy any user data or files in any of our applications/servers.

• No vulnerability disclosure, full, partial or otherwise, is allowed.

• Make sure to apply hunting requirements policy (User-Agent, VPN...)

Note that safe harbor protections only apply to reports submitted via our bug bounty program

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Harman International, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.

• The vulnerability must be a qualifying vulnerability

• The report must contain the following elements:

• Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Harman International, and remediation advice on fixing the vulnerability

• Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact

• Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc

• You must not break any of the testing policy rules listed above

• You must not be a former or current employee of Harman International or one of its contractors.

Reward amounts are based on:

• Reward grid of the report's scope

• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

COMPLIANCE WITH THESE PROGRAM TERMS

We consider activities conducted in a manner consistent with these Program Terms to constitute “authorized” conduct under the United States Computer Fraud and Abuse Act, United States Digital Millennium Copyright Act, and any similar laws or regulations in other jurisdictions.

We will not pursue civil action or otherwise initiate a complaint or claim against you for circumventing the technological measures we have used to protect the applications in scope, so long as your activities are conducted in a manner consistent with these Program Terms.

We consider any activities conducted in a manner inconsistent with these Program Terms to be “unauthorized” conduct under the United States Computer Fraud and Abuse Act, and any similar laws or regulations in other jurisdictions. We reserve the right to take legal action against you for any such unauthorized conduct.

If your report addresses a vulnerability of a Harman business partner, Harman reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Harman’s Program Terms, Harman will take steps to make it known that your actions were conducted in compliance with these Program Terms.

If at any time you have concerns or are uncertain whether your security research is consistent with these Program Terms, or believe that these Program Terms do not address you security research, please inquire via www.yeswehack.com/contact/hunter-form before going any further.

GOVERNING LAW AND DISPUTE RESOLUTION

These Program Terms shall be subject to the internal laws of the State of New York, USA and are binding upon the parties hereto in the United States and worldwide. You and Harman agree that any claims between You and Harman, including claims against you for unauthorized conduct shall be subject shall be subject to the jurisdiction of courts in the city of New York City, New York.

THE FINE PRINT

You are responsible for paying any taxes associated with rewards. We may modify these Program Terms or terminate this program at any time. We won’t apply any changes we make to these Program Terms retroactively.

Reward

Asset value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical | Critical | $300 | $1,000 | $2,500 | $4,000 | High | $200 | $600 | $1,500 | $2,500 | Medium | $100 | $300 | $1,000 | $2,000 |

Systemic issues

1st report100% 2nd report100% 3rd report0% 4th report0% 5th report0% 6th+ report0%

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

More info

Scopes

Scope | Type | Asset value | Expand rewards grid | Device: JBL Bar 500MK2 | Other | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| Device: JBL Bar 700MK2 | Other | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| Device: JBL Bar 800MK2 | Other | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| https://events.onecloud.harman.com | API | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| https://ota.onecloud.harman.com | API | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| https://apis.onecloud.harman.com | API | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| https://edgeapis.onecloud.harman.com | API | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| Device: JBL PartyBox Encore 2 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Live Beam 3 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Flip 7 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Tour One M3 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Charge 5 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Bar 300MK2 | Other | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| Device: JBL Bar 1000MK2 | Other | High | | Low $200

Medium $600

High $1,500

Critical $2,500

| Device: JBL Bar 1300MK2 | Other | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| Device: JBL Authentics 200 | Other | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| Device: JBL Authentics 300 | Other | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| Device: JBL Authentics 500 | Other | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| Device: JBL Boombox 3 Wi-Fi | Other | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| Device: JBL Charge 5 Wi-Fi | Other | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| https://apps.apple.com/fr/app/jbl-one/id1610239857 | Mobile application IOS | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| https://play.google.com/store/apps/details?id=com.jbl.oneapp&hl=fr&gl=US | Mobile application Android | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| https://tms.onecloud.harman.com | API | Critical | | Low $300

Medium $1,000

High $2,500

Critical $4,000

| https://quantum-events.onecloud.harman.com | API | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

| https://bluetooth-events.onecloud.harman.com | API | Medium | | Low $100

Medium $300

High $1,000

Critical $2,000

|

Out of scopes

• All domains or subdomains not listed in the above list of 'Scopes'
• Mobile app versions that are not currently in app stores.

Vulnerability types

Qualifying vulnerabilities

• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Remote Code Execution (RCE)
• Insecure Direct Object Reference (IDOR)
• Horizontal and vertical privilege escalation
• Authentication bypass & broken authentication
• Business Logic Errors vulnerability with real security impact
• Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• Cross-Origin Resource Sharing (CORS) with real security impact
• Cross-site Request Forgery (CSRF) with real security impact
• Open Redirect
• Bluetooth vulnerabilities
• Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes

Non-qualifying vulnerabilities

• Broken Link/Social media Hijacking
• Tabnabbing
• Missing cookie flags
• Content/Text injections
• Clickjacking/UI redressing
• Denial of Service (DoS) attacks
• Recently disclosed CVEs (less than 30 days sinces patch release)
• CVEs without exploitable vulnerabilities and PoC
• Open ports or services without exploitable vulnerabilities and PoC
• Social engineering of staff or contractors
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting outdated browsers or platforms
• Self-XSS or XSS that cannot be used to impact other users
• Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
• SSL/TLS issues (e.g. expired certificates, best practices)
• Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
• Reports with attack scenarios requiring MITM or physical access to victim's device
• Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
• Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
• Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
• Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
• Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
• CSV injection
• Malicious file upload (e.g. EICAR files, .EXE)
• HTTP Strict Transport Security Header (HSTS)
• Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
• Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
• Lack or bypass of rate-limiting, brute-forcing or captcha issues
• User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
• Weak password policies (e.g. length, complexity, reuse)
• Ability to spam users (email / SMS / direct messages flooding)
• Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
• Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
• Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
• Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
• Pre-account takeover (e.g. account creation via oAuth)
• GraphQL Introspection is enabled
• Outdated libraries without demonstrated exploitability
• Rooted/jailbroken device-only attacks
• Attacks that require root

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

More info

Type of leak Source of leak is in-scope Source of leak belongs to the Organization and is out-of-scope Source of leak does not belong to the Organization and is out-of-scope

Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible

Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

Hunting requirements

Account access

Self-register

Harman International Scopes

• You can self-register wherever possible.

• We have a limit of 40 characters for email addresses.

• Please use your YesWeHack email aliases which are [https://yeswehack.com/user/my-yeswehack/email-alias](available here) for account creation, or if your aliases are too long, a regular email address containing the keyword "bugbounty" or your hunter username.

User agent

Please append to your user-agent header the following value: ' BugBounty-Harman '.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see [https://helpcenter.yeswehack.io/hunter/hunter-collaboration](help center). Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account. /programs/harman-international-public-bug-bounty/create-report