Appliances - Barracuda Networks, Inc.

As a creator of technologies and products that help businesses protect their resources and users, Barracuda Networks continuously focuses on improving the security of our products.

We encourage researchers to perform testing using their own appliances.

Out of Scope:

All Barracuda Networks, Inc. systems and services not listed above are explicitly excluded from the program. This includes, but is not limited to, our websites, infrastructure, and cloud services. Any researcher seeking to perform vulnerability testing upon excluded systems must have prior written consent from the Senior Director of Information Security at Barracuda Networks, Inc. and should be requested through established Bugcrowd communication channels. We may legally pursue researchers conducting vulnerability testing on excluded systems without prior written consent.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Barracuda not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

If you identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Barracuda, it may be reported to this program. Note that this is in the spirit of "If you see something, please say something" only. Active testing on all out-of-scope targets is expressly prohibited. Reports of this type are appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Documentation and User's Guides can be found at:

• https://www.barracuda.com/support/documentation

The following bug classes will be considered for bounty awards:

• Unauthenticated bugs that lead to code execution or authentication bypass.
• Datapath bugs that lead to code execution or authentication bypass.
• Unauthenticated disclosure of highly sensitive information.

In addition to those bugs excluded by Bugcrowd's standard disclosure terms, the following finding types are specifically excluded from the receiving Kudos:

• Descriptive error messages (e.g. Stack Traces, application or server errors) except for where they can be demonstrated to enable a specific, real-world attack with measurable security impact.
• Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking except for when it can be demonstrated to enable a specific, real-world attack with measurable security impact. Proof-of-concept code is absolutely required.
• Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
• CSRF on forms that are available to anonymous users (e.g. contact forms).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser 'autocomplete' or 'save password'.
• SSL weaknesses related to missing certificates, self signed certificates, or any other certificate deficiencies. We expect our customers to supply proper certificates for their units upon deployment.
• Content spoofing.
• Vulnerabilities that have already been addressed in a product update or firmware regardless of whether the update has been applied to the publicly available research machines.
• Submissions regarding product deficiencies, as opposed to product vulnerabilities (see below)

Note regarding vulnerabilities in our common platform

The Barracuda appliance family of products is built on a common platform and framework. A vulnerability found in one product may therefore exist in others. When determining bounty awards, we will grant a single award that accounts for the impact to all affected products.

Note regarding product deficiencies

The program relates to security vulnerabilities in the products. Deficiencies in product functionality are excluded. This includes but is not limited to:

• Bypasses for the default set of signatures in the Barracuda Web Application Firewall - for example, XSS or SQL Injection signatures
• Bypasses for content filtering as applied to email or web filtering
• Inaccuracies in content categorization for web filtering
• Bypasses for anti-virus in email or web filtering

Note from our legal team

This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. Barracuda Networks strictly complies with US export laws and regulations. Persons and entities in countries embargoed by the US government or denied from accessing US technology are prohibited from accessing Barracuda Networks systems and participating in this program. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. The decision of Barracuda Networks is final and non-appealable. This offer is void where prohibited by law and in participating, you must not violate any law. You also must not disrupt any service or compromise anyone's data.

Thank you for your interest in the Barracuda Security Bug Bounty Program and for helping Barracuda Networks make our products more secure.