Maintaining the security of our applications and networks is a high priority for Navient Solutions LLC. If you have information related to security vulnerabilities of Navient products and services, please submit a report in accordance with the guidelines below.

• The vulnerabilities identified in the HackerOne reports will be classified by the degree of risk as well as the impact they present to the host system, this includes the amount and type of data exposed, privilege level obtained, proportion of systems or users affected.

• Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), vulnerabilities allowing you to access file/folder structure, defacement and file uploads are listed below.

• Navient has a comprehensive vulnerability management program that includes receiving and acting on security notifications from third-party vendors. Published vulnerabilities in supported third-party and open source products (e.g., network infrastructure, operating systems, application servers) are not eligible for submission until 45 days after publication.

• Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. Navient Solutions LLC does not authorize you to perform any actions to a non-Navient owned property/system/service/data.

• If you encounter Personally Identifiable Information (PII) contact us through the Hackerone portal immediately. Do not proceed with access and immediately purge any local information, if applicable.

• Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.

Thank you for helping keep Navient Solutions LLC and our users safe!

Response Targets

Navient Solutions LLC will make a best effort to meet the following SLAs for hackers participating in our program:

SCOPE

Please carefully review the scope section below. Many of our web properties may have "Navient" in the domain name, but may be 3rd party hosted and as such, are out of scope. In addition, an in scope asset may linked to or redirect away from our network range., but the resulting external link are also NOT in scope for the program.

Scope determination criteria:

In addition to the applications that are explicitly listed as in or out of scope, only sites that resolve to the IP address ranges below should be considered in scope. Anything outside of these IP address ranges is out of scope (exceptions noted below).

167.104.0.0/16 207.250.125.0/28

Exceptions To IP Ranges Above (Assets below are in-scope and route through Akamai with a different IP range):

www.navient.com www.dsparkingportal.com www.dspayments.com duncan.imageenforcement.com www.pampayments.com www.pamcollections.com www.pamcollectionsin.com sandiegoadmin.dsmyportal.com sandiego.dsmyportal.com www.nystapayment.com onlineserviceshub.com www.msbpay.com www.msbnexus.com msbpay.com msbnexus.com temp.msbpay.com temp.msbnexus.com payments.msbpay.navient.com admin.msbnexus.navient.com www.navirefi.com apply2.navirefi.com myaccount.navirefi.com wsmb2bresv.navient.com

Public Disclosure Policy

• Navient Solutions LLC will not be publicly disclosing reports at this time. If and when Navient Solutions LLC does disclose a report, it will be mutually agreed upon with the hacker.
• Navient Solutions LLC reserves the right to deny any request for public disclosure. If a hacker publicly discloses without consent, they run the risk of a program ban.
• Follow HackerOne's disclosure guidelines.

Test Plan

• Note that Navient will not be distributing login credentials for the vulnerability disclosure program. Please register/create a new account with the information below for any authenticated testing on the respective sites that are in scope.

• There is a possibility that traffic generated by researchers can be categorized as malicious. Providing additional information allows us to identify your traffic.  This can be done by adding the following header to your request:

    X-HackerOne-Research: "your username"
  

When creating a new account do the following: -Use the prefix HackerOne as first name. -Use your @wearehackerone.com email alias. -Use special social security number 999-99-9999.

#Process Please submit your report by clicking on the “Submit Report” button, your submission will be reviewed and validated by a member of the Navient Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response. As a bare minimum, please include in your report:

• List any tools used and path to reproduce issue.
• List the URL and any affected parameters
• Describe the browser, OS, and/or app version
• Describe the perceived impact. How could the bug potentially be exploited?

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue should be one submission.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following issues are considered out of scope:

• Sites not operated by Navient Solutions LLC. Navient Solutions LLC does not authorize testing against third-party websites. A major indicator for this is when a subdomain has a DNS CNAME record pointing to another organization. If you are unsure, please ask before testing.
• All vulnerabilities in Flash files out of scope
• Reports from automated tools or scans
• Reports affecting outdated browsers
• Denial of Service Attacks
• Issues without clearly identified security impact (such as clickjacking on a static website) or speculative theoretical exploitability.
• Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)
• Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these.
• Use of a known-vulnerable libraries or frameworks - for example an outdated JQuery or AngularJS (without clear and working exploit)
• Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)
• Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user
• Lack of HTTPS
• Reports about insecure SSL / TLS configuration
• Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address has a Navient-related account
• Presence/Lack of autocomplete attribute on web forms/password managers.
• Server Banner Disclosure/Technology used Disclosure
• Full Path Disclosure
• IP Address Disclosure
• CSRF on logout or insignificant functionalities
• Publicly accessible login panels
• Clickjacking
• CSS Injection attacks. (Unless it gives you ability to read anti-CSRF tokens or other sensitive information)
• Tabnabbing
• Host Header Injection (Unless it gives you access to interim proxies)
• Cache Poisoning
• Reflective File Download
• Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom Origin header that do not specifically show a valid attack scenario
• PRSSI - Path-relative stylesheet import vulnerabilities (without a impactful exploitation scenario - for example stealing CSRF-tokens)
• OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
• Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped
• Private IP/Hostname disclosures or real IP disclosures for services using CDN
• Open ports which do not lead directly to a vulnerability
• Our policies on presence/absence of SPF / DKIM / DMARC records
• Lack of DNS CAA and DNS-related configurations
• Weak Certificate Hash Algorithm
• Social engineering of Navient employees or contractors
• Any physical/wireless attempt against Navient property or data centers

Remote Code Execution (RCE) Policy

Vulnerabilities which allow execution of code on the application server or shell command on the server itself should be run in accordance to this policy.

Prohibited actions when conducting RCE attempts:

• Altering or uploading files on the web server. (In case of file-upload functionality upload of webshells is prohibited, try uploading echo, info or any variable/info-based invocation code)
• Altering file permissions
• Reading sensitive files on the system (e.g /etc/shadow) and/or snooping through the file/folder structure (Same applies to XXE, LFI and Path Traversal, or any other vulnerability which allows you to read underlying file/folder structure)
• Altering/Modifying/Deleting any files on the system.
• Copying any files from the system and disclosing them to a non GS site or entity
• Interacting with underlying OS-level data and/or databases.
• Interacting with other services running on the OS-level and/or any remote hosts residing on the network.
• Interrupting the normal operation of the server.
• Any type of establishment for persistent connection mechanisms (netcat, ssh reverse tunnel, etc) are prohibited.

Allowed actions when conducting RCE attempts - Unix:

• Executing 'ifconfig', 'hostname', 'whoami', 'uptime', 'top' or any metrics commands
• Reading content of the '/etc/passwd' file
• Using 'echo' to pipe characters into a file located in the "/tmp/", reading the file and then removing it right after confirmation.

Allowed actions when conducting RCE attempts - Windows:

• Executing 'ipconfig', 'hostname', 'whoami' or any metrics commands
• Reading content of the 'drive:/boot.ini', 'drive:/install.ini' or 'drive:/Windows/System32/drivers/etc/networks'
• Using 'echo' to pipe characters into a file located in the drive:/temp, reading the file (type) and then removing it right after confirmation.

SQL Injection (SQLi) Policy

Vulnerabilities which allow injection of attacker controlled parts of the SQL query should be run in accordance to this policy.

Prohibited actions when conducting SQLi attempts:

• Reading sensitive files on the system (e.g /etc/shadow) and/or snooping through the file/folder structure (SELECT LOAD_FILE)
• Reading specific sensitive database records
• Creating/Altering/Modifying/Deleting any files/records on the system/database. This includes use of INTO OUTFILE
• Command Execution (xp_cmdshell, uploading .so or any action that leads to command execution)
• Creating/Deleting Users
• Reading/Altering Username and Password information (includes password hashes)
• Interrupting the normal operation of the server and the database.

Allowed actions when conducting SQLi attempts:

• Executing SELECT queries such as "@@version", "user();" "system_user();", "database();", "@@hostname"
• Listing Databases names from schema, listing Columns, Table names
• Executing Mathematical, conversion or logical queries, such as:

1. ASCII Value -> Char (SELECT char(65); # returns A)
2. Char -> ASCII Value (SELECT ascii(‘A’); # returns 65)
3. String Concatenation (SELECT CONCAT(‘A’,'B’,'C’); # returns ABC)
4. Case Statement (SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A)
5. SELECT 0×414243; # returns ABC
6. Time Delay (SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); )

• Using Logic and time in Server Response
• Using output responses

File-Upload Policy

Vulnerabilities which allow upload of files through any means (f.g PUT HTTP Method, File-upload functionality/module., etc.) are subjected to these rules

Prohibited actions when conducting File-upload attempts:

• Altering/Modifying/Deleting/Replacing any files on the system. (f.g. defacement)
• Uploading files to the account of a user which is not owned by you and you are not authorized by (does not apply to system users or web users like www-data f.g)
• Uploading files which deliberately introduce additional exploitation vectors (f.g html code with cross-site scripting code on it etc.)
• Uploading files which can cause Denial of Service (f.g. over-sized files or unlimited amount of files resulting in running out of Disk Quota)

Allowed actions when conducting File-upload attempts:

• Chained exploitation vectors allowing you to jump out from the upload folder using f.g. path traversal or path manipulation that do not violate prohibited actions mentioned in File-Upload Policy.
• Upload of a file (any extension) with no content, simple string, integer or a special character.

Legal

• You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
• You agree that You shall not, without the prior written consent of Navient Solutions LLC in each instance (i) use in advertising, publicity or otherwise the name of Navient Solutions LLC or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Navient Solutions LLC or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Navient Solutions LLC or its Affiliates.
• You agree that any and all information acquired or accessed by You as part of this exercise is confidential to Navient Solutions LLC and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
• Furthermore, you agree to remove all Navient Solutions LLC customer data from your device or devices when no longer necessary for associated testing activities.
• You acknowledge and agree that any and all information you encounter is owned by Navient Solutions LLC or its third party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.
• Navient Solutions LLC may modify the terms of this policy or terminate the policy at any time.
• By clicking Submit Report, you consent to Your Information being transferred to and stored in the United States and acknowledge that you have read and accepted the Terms, Privacy Policy and Disclosure Guidelines presented to you when you created your account.
• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.
• You will not attempt to access any more data than the minimum necessary to prove a vulnerability exists.
• You must comply with this policy and the policies of Hackerone with respect to ethical hacking against our applications.