#Vimeo's Bug Bounty Program Policy

Vimeo engineers are committed to ensuring the safety and security of our site and users. We greatly respect the work of security experts and strive to stay up-to-date with the latest security techniques. However, we acknowledge that no system is infallible. If you identify a security vulnerability in one of our products, we encourage you to report it to us.

Before submitting a report, please review our guidelines below to understand what constitutes a security vulnerability and our preferred reporting methods. We are committed to evaluating and resolving all valid bugs promptly after a report is filed.

Bounties are awarded based on merit at our discretion.

   

Table of Contents

• About Vimeo
• Rules
• Rules for us
• Triage and Payout Process
• Criteria for premium accounts
• Qualifying vulnerabilities (in-scope)
• Recommended features for increased focus
• Non-qualifying vulnerabilities (out-of-scope)
• Disclosure Policy
• Safe Harbor

   

About Vimeo

Vimeo is a platform for video creation, hosting, sharing, and streaming, with features like a Video Player, Live Streaming, and Vimeo OTT. We have many similarities to YouTube, but our revenue model is completely different (eg. our videos are ad-free, we charge content creators, etc.).

Our company has 6 different components:

• vimeo.com
• vhx.tv (also known as "OTT")
• magisto.com
• livestream.com — **out-of-scope
• wirewax.com — out-of-scope
• wibbitz.com — out-of-scope

Please note that, previously, Vhx, Magisto, and Livestream each had their own separate bug bounty programs within HackerOne. We have now merged those three programs into the main Vimeo program.

#Rules

Requirements for your submission to be eligible for a bounty reward:

• You must demonstrate a vulnerability with proof/evidence. When hunting for bugs and when providing evidence, please only use your own accounts. Do not use or access other people’s data or accounts at any time.
• You must be the “first reporter.” Please understand that we have an active security team that does regular internal testing and contracts out for pentests often. As such, we often find and fix issues on our own. If our internal security team or our pentesters or our developers happen to find the same issue before you find it, they will count as the “first reporter” and your report will be considered a duplicate.
• The underlying issue must be unique, ie. multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Your report must be in scope. Please look over the scope table at the end of this policy before submitting a report. We want to help reduce your risk of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.

Suggestions to ensure fast processing and maximum bounty:

• Communicate respectfully and professionally at all times
• Provide detailed reproducible steps. This is important.
• Explain the potential impact
• Submit only one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• We highly recommend that you sign up for any throwaway accounts using your @wearehackerone.com email address. Learn more here. This helps us distinguish between bug bounty hunters and actual malicious actors. We’ll be less likely to flag or suspend your Vimeo account(s).
• We strongly encourage providing a video POC for each finding, although it is not required. If you do provide one, please upload the video in a file format that is supported by the H1 embedded player (e.g. .mp4, .mov, .webm, etc, but not .avi).

Your report does not necessarily need to include a full exploit. Did you come across a spicy bug that has a good impact, but you’re missing one or two pieces needed to complete the exploit? Send it our way, we’d be happy to take a look and might even consider it without it being fully complete.

Dont's

• DO NOT use automated tools or scanners. Reports as such will be closed as N/A.
• DO NOT DDoS or otherwise attack us in a way that would disrupt service for our customers.
• DO NOT disclose or discuss any vulnerability, even resolved ones, outside of the program at any time without express consent from Vimeo. Please see our Disclosure Policy below for instructions on requesting permission for disclosure.
• DO NOT attempt to access other people's private data or accounts. Basic Vimeo accounts are free, so setting up example cases with throwaway accounts should be easy.
• Do NOT attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of services, and pivoting with access not normally granted.

   

#Rules for us Vimeo and HackerOne will make their best efforts to meet the following SLAs for hackers participating in our program:

• HackerOne aims to complete initial triage within 2 days after you submit your report
• Vimeo will complete the final triage within 3 business days after the H1 triage
• Vimeo will award the full bounty immediately once we confirm that it’s not a duplicate and we intend to fix it    

#Triage and Payout Process Vimeo is a HackerOne-managed program. HackerOne currently has a commitment to complete initial triage within 2 days after you submit your report. Once they finish the initial triage, they will pass the report back to Vimeo so that we may conduct the final triage. Items in the Triaged state alone will NOT be considered accepted until Vimeo makes a final decision, which we will signify with a full bounty payout.

Please be aware that, even if the HackerOne team has triaged a ticket, the Vimeo team may potentially close the ticket at any time with no payout, eg. if we discover that it is a duplicate or if we decide not to fix the issue. Further note that if the report is a duplicate, we may potentially not provide any links to the original ticket, especially if the original reporter would prefer that their report be kept private or if the original ticket exists within our internal ticketing system.

   

Criteria for premium accounts

Basic Vimeo accounts are free, but Vimeo offers additional features to our customers via our paid plans. We’d like to give our bug bounty researchers access to these paid plans free of charge so that they may test all the extra functionality that is available only in those plans.

To be eligible for a paid account, you must meet at least one of the following qualifications:

Note: The plan will be activated only on a 2 HackerOne alias account. If you believe you have met the criteria, please submit the form and await our response. Form link : https://forms.gle/88UEMuwVKfyuGpeVA

   

#Qualifying vulnerabilities (in-scope) Please take the time to provide a clear proof of concept that shows how a particular vulnerability is exploitable. You must be able to reproduce the issue on request with your account(s). Use the following table to categorize security issues.

However, note that your report does not necessarily need to include a full exploit. Did you come across a spicy bug that has a good impact, but you’re missing one or two pieces needed to complete the exploit? Send it our way — we’d be happy to take a look and might even consider it without it being fully complete.

Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by the scope/scale of exploitation and impact.

   

Recommended features for increased focus

We recommend that researchers prioritize their efforts on the core features provided within our upgrade plans. You can find more information about these features at the following links:

• Vimeo: https://vimeo.com/upgrade-plan
• Vimeo enterprise
• Magisto: https://www.magisto.com/account/upgrade
• Vimeo AI features ( Enterprise tier)

Non-qualifying vulnerabilities (out-of-scope)

• User enumeration
• Open redirect (Unless chained to show an impact)
• Reports from automated tools or scans
• Missing rate limits, unless it can lead to account takeover
• Vulnerabilities affecting subdomains that resolve to third‑party or externally hosted services (e.g., billing.vimeo.com, help.vimeo.com).
• Missing cookie flags on non-sensitive cookies
• Logout CSRF attacks (unless chained to show an impactful exploit)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
• Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept and not just a report from a scanner)
• Reports of window.opener redirects
• Open SMTP redirects (just because it looks like you can use our servers doesn't mean it's true-- unless you have a PoC)
• Email-related attacks including spoofing or any issues related to SPF, DKIM or DMARC
• Clickjacking on static websites
• Content spoofing/text injection
• Use of a known vulnerable library (without evidence of exploitability)
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering and Man-in-the-Middle attacks
• Missing HTTP security headers (unless you deliver a proof of concept that leverages their absence)
• Self-XSS
• Denial of service attacks, do not perform them.
• 3rd party sites used by Vimeo.
• Subdomain takeovers where someone has signed up for an account, forwarded to an external site that doesn't exist/can be compromised
• RCE on sites that link or are redirected from Vimeo.
• Exploits that require the attacker to have access to the user’s device or external account (phone, laptop, email, 2FA token, etc)
• Issues where the user’s device or account (phone, laptop, email, etc) has been rooted, malwared, bot'd, etc.
• Google Maps API key exposure, unless it is allowing you to interact with any other google services.
• Stack traces or path disclosures (without sensitive data).
• Banner and Version grabbing.
• CSV injection and Host header Injection ( without any server side impact ).
• Broken link hijacking on customer's VHX subdomains.( for eg: customername.vhx.tv).
• Login spoofing with @vimeo.com or @vhx.tv.
• Autologin token reuse.
• Public 0-day/1-day vulnerabilities known to team within 15 days of the disclosure.
• IDOR on UUID (or randomly generated alphanumeric IDs with a length of 16+ characters), unless there is a proven method to retrieve Vimeo asset UUIDs or random generated id's.
• Fake card or BIN-based payment bypass.
• Pre-account signup and account lockout.
• Credential leaks from personal/external sources.( unless there is an exposure of @vimeo.com and @vhx.tv)
• Username and userid exposure ( private mode )
• No Lockout on Login/Forget Password bruteforce.

   

#Disclosure Policy Vimeo understands that disclosure helps the infosec community and strengthens your professional reputation.

###Rules

• If you wish to disclose a specific issue, you must receive explicit prior approval from Vimeo.
• Please do not discuss any vulnerabilities, even resolved ones, outside of the program at any time without express consent from Vimeo.

###How to request permission Please request permission for disclosure by commenting on the report within HackerOne, and we’ll kick off an internal disclosure process promptly.

###Restrictions

• Vimeo reserves the right to approve or deny any request for disclosure for any reason and at our sole discretion.
• Only Resolved reports requested by the original reporter are eligible for disclosure. All other reports (Informative, NA, Spam) are not eligible for disclosure of any kind, in or outside the HackerOne platform.-
• Duplicate reports are not eligible for disclosure. Only the original reporter is eligible for disclosure

Should a researcher break any disclosure or program policies, that researcher shall no longer be protected under Safe Harbor and will be subject to legal action at our discretion. Furthermore, failure to comply with these rules may result in a program ban for all company properties.

In addition to these rules, please also follow HackerOne's disclosure guidelines

   

Safe Harbor

Thank you for helping Vimeo, Inc. and its subsidiaries (“Vimeo”). Vimeo provides this Safe Harbor Statement to encourage and facilitate research using HackerOne’s bug bounty program to help us identify bugs and vulnerabilities.

We authorize access to our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s then-current policies. We will not consider your good faith activities in this regard to violate applicable criminal or civil laws (even if those activities inadvertently exceed the scope of our authorization), such as the Digital Millennium Copyright Act or Computer Fraud and Abuse Act, and we will not commence legal action with respect to such activities.

If legal action is commenced against you as a result of your good faith activities, Vimeo will take steps to make it known to parties commencing such action that your activities were conducted in accordance with this Safe Harbor Statement.

To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.

Please note that this Safe Harbor Statement does not extend to systems, services, and applications that we do not control.

We encourage you to contact us if you have questions regarding the scope of this Safe Harbor Statement. You may do so through HackerOne or by emailing us at [email protected].

Thanks for helping us fight the good fight!