Recorded Future Bug Bounty Program

Welcome to the Recorded Future Bug Bounty program! No technology is perfect, and Recorded Future believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our assets. Good luck and happy hunting!

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Structure

In Scope Targets

Testing is only authorized on the targets listed below. Any domain/property of Recorded Future not listed in the targets section is out of scope. This includes any/all subdomains not listed below. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Recorded Future, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Website Testing

• https://www.recordedfuture.com
• https://tria.ge
• https://id.recordedfuture.com
• https://hatching.io
• https://geminiadvisory.io
• https://app.recordedfuture.com
• https://securitytrails.com

API Testing

• https://api.recordedfuture.com

Mobile Application Testing

• Recorded Future iOS (https://apps.apple.com/us/app/recorded-future/id1435597894)
• Recorded Future Android (https://play.google.com/store/apps/details?id=com.recordedfuture.mobile&hl=en_US)

Credentials

Credentials will not be provided for this engagement, however where accounts can be self-provisioned. When registering for an account, please sign up for an account using your @bugcrowdninja.com email address.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction (e.g: Broken link hijacking leading to external resources)

Disclosure

This engagement follows Bugcrowd's standard disclosure terms. Vulnerabilities found in this engagement requires explicit permission by selecting the disclosure request option on your submission.