Verily Life Sciences Bug Bounty Program

Introduction

Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.

Program Highlights

Fast Payment: Ensures payment within 1 month of receiving a vulnerability report.
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
Platform Standards: Fully compliant with Platform Standards.
Top Response Efficiency: This program's response efficiency is above 90%.

Response Times

Average time to first response: 6 hours
Average time to triage: 1 day, 17 hours
Average time to bounty: 18 hours
Average time from submission to bounty: 2 days, 11 hours
Average time to resolution: 3 months, 13 hours

Rewards

Reward Ranges by Severity

Severity	Average Bounty	Bounty Range
Critical (S0)	$7,000	$6,000 - $10,000
High (S1)	$4,650	$2,000 - $5,000
Medium (S2)	$860	$750 - $1,500
Low (S3)	$144	$100 - $500

Vulnerability Categories and Payouts

Vulnerability Category	Examples	Payout
Remote code execution (S0)	Command injection, deserialization bugs, sandbox escapes	$6,000 - $10,000
Unrestricted file system or database access (S1)	Unsandboxed XXE, SQL injection	$5,000
Logic flaw bugs leaking or bypassing significant security controls impacting SPII (S1)	SPII – Direct object reference, remote user impersonation	$2,000
Logic flaw bugs leaking or bypassing significant security controls impacting PII or other confidential information (S2)	PII or other confidential information – Direct object reference, remote user impersonation	$1,500
Logic flaw bugs leaking or bypassing significant security controls impacting other data/systems (S2)	Other – Direct object reference, remote user impersonation	$750 - $1,000
Execute code on the client (S3)	Web: Cross-site scripting, Mobile / Hardware: Code execution	$200 - $500
Other valid security vulnerabilities (S3)	CSRF, Clickjacking, Mobile / Hardware: Information leak, privilege escalation	$100 - $200

Please note these are general guidelines, and reward decisions are up to the discretion of Verily Life Sciences.

Bounty Awards for Discovered Leaked Credentials

Verily has committed to awarding submissions that discover leaked credentials according to Exemplary Standards.

Scope

In Scope Assets

The program includes 6 assets in scope. Contact the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.

Scope Exclusions

The following are excluded from this program's scope:

Excluded endpoints: "helix.verily.com" and "enroll.onduo.com" are excluded from this program's scope. Contact forms endpoints such as https://verily.com/contact-us and https://verily.com/solutions/public-health/wastewater/contact are also not in scope for this program.
Subdomain takeover issues: Reports related to stale DNS records, subdomain takeovers or dangling IPs are out-of-scope for this program and will not be rewarded. Verily is working on an internal DNS hygiene solution to resolve these issues.
Core Ineligible Findings: Out of scope.
Ineligible vulnerability types: URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, "logout" cross-site request forgery, banner or version information leaks, and user enumeration.

Disclosure Policy

Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, only the first report received will be awarded (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by monitoring systems.
Using tools that perform DNS brute forcing of any kind is prohibited.
Leveraging black hat SEO techniques, spamming people, and breaking and entering into Verily offices are prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services.
Only interact with accounts you own or with the explicit permission of the account holder.

Testing

Users are able to sign up for free accounts through some of the in-scope domains and mobile apps. Credentials are not provided for testing at this time.
Use your hacker email alias (e.g. [email protected]) when testing.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Thank you for helping keep Verily and our users safe!