HARMAN International - Web Applications
Bounty Range
$100 - $4,000
external program
Bounty Range
$100 - $4,000
external program
Keeping user information safe and secure is a top priority and a core company value for us at Harman ("We", "Us" or "Harman").
We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Harman customers.
In addition to the YesWeHack General Terms of Use for "Hunter" and any other applicable YesWeHack terms and conditions, these Bug Bounty Program Terms and Conditions ("Program Terms") govern the participation of any Hunter ("You", or "Hunter") in the Harman Bug Bounty Program.
In the event of a conflict between these Program Terms and any other agreement or terms, these Program Terms shall control.
Please adhere to the following rules while performing research on this program:
Denial of service (DoS) attacks on Harman International applications, servers, networks or infrastructure are strictly forbidden.
Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic
Do not leak, copy, manipulate, or destroy any user data or files in any of our applications/servers.
No vulnerability disclosure, full, partial or otherwise, is allowed.
Make sure to apply hunting requirements policy (User-Agent, VPN...)
Note that safe harbor protections only apply to reports submitted via our bug bounty program
We are happy to thank everyone who submits valid reports which help us improve the security of Harman International, however only those that meet the following eligibility requirements may receive a monetary reward:
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability
The report must contain the following elements:
Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Harman International, and remediation advice on fixing the vulnerability
Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above
You must not be a former or current employee of Harman International or one of its contractors.
Please note that if you detect a systemic issue (for example, a XSS affecting different parameters on the same vulnerable page), only the first two reports on the subject will be eligible to a reward in the context of this program.
Reward amounts are based on:
Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis
We consider activities conducted in a manner consistent with these Program Terms to constitute "authorized" conduct under the United States Computer Fraud and Abuse Act, United States Digital Millennium Copyright Act, and any similar laws or regulations in other jurisdictions.
We will not pursue civil action or otherwise initiate a complaint or claim against you for circumventing the technological measures we have used to protect the applications in scope, so long as your activities are conducted in a manner consistent with these Program Terms.
We consider any activities conducted in a manner inconsistent with these Program Terms to be "unauthorized" conduct under the United States Computer Fraud and Abuse Act, and any similar laws or regulations in other jurisdictions. We reserve the right to take legal action against you for any such unauthorized conduct.
If your report addresses a vulnerability of a Harman business partner, Harman reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Harman's Program Terms, Harman will take steps to make it known that your actions were conducted in compliance with these Program Terms.
If at any time you have concerns or are uncertain whether your security research is consistent with these Program Terms, or believe that these Program Terms do not address you security research, please inquire via www.yeswehack.com/contact/hunter-form before going any further.
These Program Terms shall be subject to the internal laws of the State of New York, USA and are binding upon the parties hereto in the United States and worldwide. You and Harman agree that any claims between You and Harman, including claims against you for unauthorized conduct shall be subject shall be subject to the jurisdiction of courts in the city of New York City, New York.
You are responsible for paying any taxes associated with rewards. We may modify these Program Terms or terminate this program at any time. We won't apply any changes we make to these Program Terms retroactively.
| Asset Value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical |
|---|---|---|---|---|
| Critical | $200 | $500 | $2,000 | $4,000 |
| High | $150 | $400 | $1,500 | $2,500 |
| Medium | $100 | $300 | $1,000 | $2,000 |
| Low | $100 | $200 | $800 | $1,500 |
| Scope | Type | Asset Value |
|---|---|---|
| *.jbl.com | Web application | Critical |
| https://www.bowerswilkins.com | Web application | Critical |
| https://www.denon.com | Web application | Critical |
| https://www.marantz.com | Web application | High |
| *.harmanaudio.com | Web application | High |
| *.harmankardon.com | Web application | High |
| https://www.polkaudio.com | Web application | High |
| *.support.jbl.com | Web application | Medium |
| https://www.definitivetechnology.com | Web application | Medium |
| *.jbl.nl | Web application | Low |
| https://www.classeaudio.com | Web application | Low |
| *.jbl.ru | Web application | Low |
| *.uk.jbl.com | Web application | Low |
| *.uk.harmanaudio.com | Web application | Low |
| *.de.jbl.com | Web application | Low |
| *.in.jbl.com | Web application | Low |
| *.jbl.com.br | Web application | Low |
| https://www.bostonacoustics.com | Web application | Low |
| *.roonlabs.com | Web application | Low |
| *.roonlabs.net | Web application | Low |
| *.roonessentials.com | Web application | Low |
| *.roonessentials.net | Web application | Low |
| *.roondrops.com | Web application | Low |
| *.account.roon.app | Web application | Low |
| *.roon.app | Web application | Low |
| *.gotdrops.com | Web application | Low |
| *.gotdrops.cloud | Web application | Low |
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program's scope and policy.
| Type of Leak | Source in-scope | Source belongs to Organization but out-of-scope | Source does not belong to Organization and is out-of-scope |
|---|---|---|---|
| Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not eligible |
| Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not eligible | Not eligible |
You can self-register wherever possible.
We have a limit of 40 characters for email addresses.
Please use your YesWeHack email aliases or, if your aliases are too long, a regular email address containing the keyword "bugbounty" or your hunter username.
Please append to your user-agent header the following value: 'BugBounty-Harman'
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.