#Varonis Bug Bounty Program (BBP) Policy

At Varonis, we specialize in software for data protection, threat detection and response, and compliance – and we know how valuable contributions from the security community help safeguard organizations.

We partner with HackerOne and foster relationships with the community to proactively identify new threats and improve security for our customers, partners, suppliers, employees, and overall company.

If you have information about possible security vulnerabilities involving Varonis' software products or services, please submit a report using the information and procedures described below. We look forward to working with you to keep our business and customers safe.

Response Targets

Varonis will make commercially reasonable efforts to meet the following SLAs for hackers participating in our program:

We’ll try to keep the hacker who identified the vulnerability informed about our progress throughout the process.

Rewards and Amounts

• We determine the value of the reward based on the impact and severity of the reported vulnerability. Generally, we use CVSS v3.1 scoring. The final reward decisions are up to the sole discretion of the Varonis Security team. • When duplicates (e.g. discovered and reported by other researchers or by an internal team) occur, we only award the first report that we receive. • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. • Submissions for assets that are outside the program's scope are not eligible for bounty payments. However, they may still be eligible for a bonus payment of up to $100, depending on the severity of the issue.

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Varonis.

Eligibility

• You must be 18 years old or older to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian. • You are an individual security researcher participating in your own individual capacity, or If you work for a company or other organization, that organization permits you to participate in your own individual capacity. It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this program. • Varonis's (including its subsidiaries') current or former employees or contractors, and their family and/or household members are all prohibited from participating in the bug bounty plan. • You must not be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria). An eligible submission shall be made in accordance with any applicable export and trade control laws and regulations.

Program Rules

• Avoid sensitive information from being saved, stored, transferred, or otherwise accessed after initial discovery. • Ensure that any personal or sensitive information is only viewed to the extent required to identify a vulnerability and that it not be retained or otherwise shared. • Limit the use of information obtained from interacting with Varonis' systems or services to activities directly related to reporting security vulnerabilities. • Social engineering (e.g., phishing, vishing, smishing) is prohibited. • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. • Please do not engage in any activity that can potentially or actually cause harm to Varonis, our customers, partners, vendors, or employees. • Do not engage in any activity that violates (a) federal, state or other laws or regulations or (b) the laws or regulations of any country: (x) where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity; (y) which is otherwise related to this program, the hacker and/or Varonis. • Do not store, share, compromise, or destroy Varonis or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Varonis. This step protects any potentially vulnerable data, and you. • Do not access, impact, destroy or otherwise negatively impact Varonis customers, or customer data in anyway. • Denial of service (DoS/DDoS) testing is strictly prohibited. • Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Varonis. • Ensure you understand the targets, scopes, exclusions, and rules in scope. • Identify testing traffic with custom headers - To allow Varonis to separate testing traffic from real user traffic, we will require that you include a unique string/header: Please include a custom HTTP header to help identify your traffic: X-HackerOne-Research: [Your H1 Username]

Submission Process

• Please provide detailed reports showcasing reproducible steps. If the report is not detailed enough to reproduce the issue/vulnerability, the issue/vulnerability may not be marked as triaged. • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. • When several reports are submitted to disclose the same vulnerability, Varonis shall only triage the first report (which is in line with all the requirements listed herein) that was received. • When reporting vulnerabilities, please explain the attack scenario, exploitability, security impact of the bug, and suggested remediation or mitigation actions. Include the IP address that was used during testing with your submission.

Eligible Vulnerabilities and Focus Areas

Varonis encourages the disclosure of OWASP top 10 and other eligible web application vulnerabilities with the exception of those vulnerabilities that are listed as out of scope. In scope vulnerabilities include but are not limited to:

• Cross Tenant Data Leakage/Access • Server-side Remote Code Execution (RCE) • Server-Side Request Forgery (SSRF) • Stored/Reflected Cross-site Scripting (XSS) • Cross-site Request Forgery (CSRF) in a privileged context • SQL Injection (SQLi) • XML External Entity Attacks (XXE) • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.) • Injection Vulnerabilities • Authentication or Authorization Flaws • Sensitive Data Exposure • Insecure Deserialization/Server-Side Code Execution • Directory Traversal

Varonis reserves the right to reject any submission that Varonis, in its sole discretion, determines to not meet the BBP criteria. Submissions that require manipulation of data, network access, or physical attack against Varonis’ offices or data centers and/or social engineering of our employees or contractors are out of scope and strictly prohibited. Submissions that result in the alteration or theft of Varonis’ data, or the interruption or degradation of Varonis’ services or systems will not be accepted.

Out of Scope Vulnerabilities

The following issues are considered out of scope: • The use of automated scanners is strictly prohibited. • Do not brute force or guess credentials to gain access to systems. • Clickjacking on pages with no sensitive actions • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions • Attacks requiring MITM or physical access to a user's device. • Previously known vulnerable libraries without a working Proof of Concept. • Comma Separated Values (CSV) injection without demonstrating a vulnerability. • Missing best practices in SSL/TLS configuration. • Any activity that could lead to the disruption of our service (DoS). • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS • Rate limiting or brute force issues on non-authentication endpoints. • Missing best practices in Content Security Policy. • Missing HttpOnly or Secure flags on cookies • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.) • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application, or server errors). • Zero-day vulnerabilities that have been officially confirmed and publicly disclosed within the last 30 days are reviewed and only applicable on a case-by-case basis. • Tabnabbing • Open redirect - unless an additional security impact can be demonstrated. • Issues that require unlikely user interaction • Self-XSS, which includes any payload entered by the victim. • Social engineering (e.g., phishing, vishing, smishing) is prohibited. • Vulnerabilities that are already known (e.g. discovered and reported by other researchers or by an internal team) • Subdomains owned by third parties are generally considered out of scope. • Leaked credentials obtained from databases, third-party breaches, or any other unauthorized sources • Our software solutions also leverage Amazon AWS and Microsoft Azure services. Please consult the appropriate third-party sources and review such third party’s terms and conditions prior to performing any testing on third-party infrastructure.

Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without Varonis’ express written consent.
• Follow HackerOne's disclosure guidelines.

Legal Terms

You must comply with Varonis' Terms and Conditions, security industry best practices, and all applicable federal, state, local as well as any other laws in connection with your security research activities or other participation in this bug bounty program. You agree that any and all information acquired or accessed as part of this exercise is confidential to Varonis and you shall hold all such information in strict confidence and shall not copy, reproduce, sell, assign, license, distribute, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than as part of your participation in the program described herein or as expressly authorized in writing by Varonis.

Varonis does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or any applicable laws and regulations. If you engage in any activities that are inconsistent with this policy or such laws and regulations, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Varonis entity (e.g., federal departments or agencies; state, local, or tribal governments; other private sector companies or persons; employees or personnel of any such entities; or any other third party), it is your responsibility to comply with the rules and requirements of such non-Varonis entity and that non-Varonis third party may independently determine whether to pursue legal action or remedies related to such activities.

By submitting a report to Varonis, you grant Varonis a perpetual, irrevocable, worldwide, royalty-free, transferable, fully sublicensable license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, sell, offer for sale and import for any purpose all intellectual property rights in or related to the report, information or materials submitted by you to Varonis pursuant to this policy. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.

Varonis may modify the terms of this policy or terminate the policy at any time and from time to time, at its sole discretion. Your participation in the program is voluntary and subject to the terms and conditions set forth herein. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy.

As between you and Varonis, in case of any inconsistency between this policy and the HackerOne’s Terms, the terms of this policy shall take precedence.

Thank you for helping keep Varonis and our users safe!