Details

NetScaler Public Program

Introduction

Cloud Software Group looks forward to working with the security community to find vulnerabilities and keep our businesses and customers safe.

Program highlights

Top Response Efficiency — This program's response efficiency is above 90%.

Collaboration Enabled — Includes Retesting

Average time to bounty: 1 week, 5 days

Average time from submission to bounty: 1 week, 5 days

Rewards

Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of CSG.

Severity	Reward
Low	$300
Medium	$600
High	$4,000
Critical	$10,000

Scope Exclusions

Core Ineligible Findings are out of scope.

Platform Standards Deviations:

Third Party Component Vulnerabilities and Misconfigurations are out of Scope
Third-party components: for programs consuming the component — Third Party Component Vulnerabilities are out of Scope

Disclosure Policy

Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report received (provided it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Ask the program team before submitting vulnerabilities on unscoped subdomains.
Only interact with accounts you own or with the explicit permission of the account holder.

Test Plan

Users can sign up for a free account through our website
Please use your hacker email alias when testing
Claim credentials (when applicable) for additional testing

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Thank you for helping keep CSG and our users safe!

Severity

Reward

Low

$300

Medium

$600

High

$4,000

Critical

$10,000

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report received (provided it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Ask the program team before submitting vulnerabilities on unscoped subdomains.

Only interact with accounts you own or with the explicit permission of the account holder.