#Vulnerability Disclosure Program
This is a Vulnerability Disclosure Program. If you need Intercontinental Exchange customer support, please visit Customer Support. If you need other Intercontinental Exchange information security resources, please visit our Privacy and Security Center.
Intercontinental Exchange looks forward to working with the security community to find vulnerabilities to keep our businesses and customers safe.
#Guidelines
- Must follow HackerOne’s Code of Conduct found here.
- Provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.
- We may modify the terms of this policy or terminate the policy at any time.
#By Submitting a Report:
- You agree that you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
- You agree not to disclose vulnerability details to anyone other than Intercontinental Exchange without Intercontinental Exchange’s written permission.
- You agree that any information that you may encounter, view, acquire, or access, is owned by Intercontinental Exchange or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information.
- You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information and will only interact with accounts you own.
- You understand that nothing in this agreement, including submission of a report, shall be deemed to constitute the grant to you of any license or other right to or in respect of anyone other than Intercontinental Exchange or third-party product, service, patent, trademark, trade secret, or other intellectual property.
#Testing
- While you’re welcome to create accounts where they are available. We ask that you use your HackerOne alias when doing so. You can find instructions on how to find your alias here .
- We’re unable to provide account licenses or refund expenses incurred during testing.
#Prohibited
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Denial of service activities.
- Pivot attacks from access gained, we expect you to first request permission to perform a pivot via your original vulnerability report.
- Bruteforcing accounts.
#Out of scope vulnerabilities
- When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
#Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for such conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Intercontinental Exchange is not liable to you for any special, consequential, incidental, indirect or punitive damages arising from or relating to any breach of this policy.
Thank you for helping keep Intercontinental Exchange and our users safe!
