Details

About Netlify

Netlify is the fastest way to combine your favorite tools and APIs to build the fastest sites, stores, and apps for the web.

Attack surface

Netlify provides a UI (app.netlify.com), an API (api.netlify.com), a build system triggered by pushes to customer Git repos, a CDN for hosted static and dynamic content, and a host of related features (environment variables, third-party API federation with GraphQL, third-party build integrations, DNS management, analytics, log drains, site auth, forms, etc).

Endpoint map

Use this map to get a sense for how things interconnect: https://hackerone-endpoint-map.netlify.app/endpoint-map.png. Note that the Program Scope is broader than what's shown in this map, and that this map lists specific subdomains that you may find of interest.

Response Targets

Netlify will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submit) - 5 business days
Time to triage (from report submit) - 10 business days
Time to bounty (from triage) - 5 business days

We will do our best to keep you informed about our progress throughout the process. Please refrain from contacting Netlify's team out of band and allow us to review your submissions according to the timelines above.

Program Rules

Please provide detailed reports with reproducible steps.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Please promptly report any retrieval of customer PII or PHI data.
Bounty payouts require that 1) you are the first person to file a report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with Netlify’s program guidelines.

Testing Scope

You may test only against Netlify account(s) for which you are the account owner.
You must create an account with your HackerOne email alias to be eligible for bounty.

All researchers on HackerOne have an email alias in the format [email protected], which automatically forwards to your real email address.

If you would like to create additional test accounts, add a plus (“+”) sign and any combination of words or numbers after your username. For example: [email protected]. This enables you to test different attack vectors / account levels without targeting other users or creating multiple HackerOne profiles.

#Out of Scope Vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Any attacks targeted at a customer account for which you are not the owner of and have not received permission to test are expressly forbidden.
Websites utilizing Netlify are considered out of scope.
Opening Pull Requests against our public GitHub repositories.
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS), including but not limited to, domain/subdomain hijacking.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Missing rate limiting on password reset endpoint.
Missing forced login after password reset.
Avatar file upload (do not report unless you are very sure you can concretely demonstrate impact and have verified the impact end-to-end after reading the program scope - e.g. for XSS, malicious content would need to be successfully served by visiting app.netlify.com or api.netlify.com).
Reverse shells and general remote-code-execution in your site builds. Exceptions here are escalating privilege to root, obtaining sensitive secrets not already accessible to your user, escape from the container, and access to the orchestration control plane.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the Netlify organization.
Follow HackerOne's disclosure guidelines.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Netlify and our users safe!

Attack surface

Response Targets

Netlify will make a best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submit) - 5 business days

Time to triage (from report submit) - 10 business days

Time to bounty (from triage) - 5 business days

Program Rules

Please provide detailed reports with reproducible steps.

Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Please promptly report any retrieval of customer PII or PHI data.

Bounty payouts require that 1) you are the first person to file a report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with Netlify’s program guidelines.

Testing Scope

You may test only against Netlify account(s) for which you are the account owner.

You must create an account with your HackerOne email alias to be eligible for bounty.

All researchers on HackerOne have an email alias in the format [email protected], which automatically forwards to your real email address.

Any attacks targeted at a customer account for which you are not the owner of and have not received permission to test are expressly forbidden.

Websites utilizing Netlify are considered out of scope.

Opening Pull Requests against our public GitHub repositories.

Clickjacking on pages with no sensitive actions.

Unauthenticated/logout/login CSRF.

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS), including but not limited to, domain/subdomain hijacking.

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Missing rate limiting on password reset endpoint.

Missing forced login after password reset.

Avatar file upload (do not report unless you are very sure you can concretely demonstrate impact and have verified the impact end-to-end after reading the program scope - e.g. for XSS, malicious content would need to be successfully served by visiting app.netlify.com or api.netlify.com).

Reverse shells and general remote-code-execution in your site builds. Exceptions here are escalating privilege to root, obtaining sensitive secrets not already accessible to your user, escape from the container, and access to the orchestration control plane.

Safe Harbor

Thank you for helping keep Netlify and our users safe!