FireEye announced this week that it has become public for all registered researchers to participate in its Bugcrowd-powered bug bounty program.
The program, which has been running privately on the crowd-sourced bug hunting platform for some time, welcomes all Bugcrowd researchers interested in identifying vulnerabilities across a wide range of FireEye websites, including those of subsidiaries and localized domains.
Researchers will receive between $1,500 and $2,500 for true vulnerabilities deemed critical, between $800 and $1,250 for serious vulnerabilities, between $200 and $500 for moderate severity problems, and between $50 and $150 for low risk bugs.
However, interested researchers are asked to ensure that they target only resources within the reach of the program to qualify for monetary rewards, and to refrain from exploring the vulnerability types of ‘contact us’ and ‘supporting.’
“The testing of targets listed as In-Scope is only authorized. Any FireEye domain / property not mentioned in the Targets section is out of reach, “states the provider of security solutions.
The company also points out that the bug bounty program does not cover social engineering, denial or service and physical security attacks. There is no room for attacks requiring physical or administrative access to hosting systems either.
“When communicating with us, we ask reporters to respect the principles and processes of responsible disclosure and allow FireEye the opportunity to evaluate, react and, if possible, fix any documented security vulnerabilities prior to public disclosure,” the company notes.
Reports will be prioritized and rated in accordance with the Bugcrowd Vulnerability Rating Taxonomy, but FireEye emphasizes that the priority of certain vulnerabilities may be modified based on probability or impact. Any such change will be accompanied by a detailed explanation, and it will give the researcher the opportunity to appeal.
FireEye will extend the bug bounty program in the coming months, introducing more products and services.
Researchers can learn additional information about the in-scope tools on the website of Bugcrowd and the rules governing FireEye’s bug bounty program.
Leave a Reply