Barracuda Networks, Inc.

We encourage researchers to perform testing using their own appliances. However, for those who do not have their own appliances, we have made instances of some of our products publicly available for shared research use. These are the only publicly available systems authorized for use under the program.

These systems are provided for the convenience of researchers. Vulnerabilities affecting these systems, but not directly relating to the products themselves, are not in scope for the program. This includes vulnerabilities such as weak passwords, DNS state or configuration, lack of https configuration, and other configuration specific to the machines themselves.

Barracuda Networks makes no representation regarding the availability or state of these virtual appliances and reserves the right to update, change, or remove them at its sole discretion.

These are the publicly available instances that are in scope for this program:

• http://spam.ptest.cudasvc.com:8000
• http://archiver.ptest.cudasvc.com:8000
• http://webfilter.ptest.cudasvc.com:8000
• http://waf.ptest.cudasvc.com:8000
• http://firewall.ptest.cudasvc.com:8000
• http://sslvpn.ptest.cudasvc.com:8000
• http://adc.ptest.cudasvc.com:8000

Out of Scope:

All Barracuda Networks, Inc. systems and services not listed above are explicitly excluded from the program. This includes, but is not limited to, our websites, infrastructure, and cloud services. Any researcher seeking to perform vulnerability testing upon excluded systems must have prior written consent from the VP of Engineering at Barracuda Networks, Inc. and should be requested through established Bugcrowd communication channels. We may legally pursue researchers conducting vulnerability testing on excluded systems without prior written consent.

Documentation and User's Guides can be found at:

• https://www.barracuda.com/support/documentation

The following bug classes will be considered for bounty awards:

• Unauthenticated bugs that lead to code execution or authentication bypass.
• Datapath bugs that lead to code execution or authentication bypass.
• Unauthenticated disclosure of highly sensitive information.

In addition to those bugs excluded by Bugcrowd's standard disclosure terms, the following finding types are specifically excluded from the receiving Kudos:

• Descriptive error messages (e.g. Stack Traces, application or server errors) except for where they can be demonstrated to enable a specific, real-world attack with measurable security impact.
• Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking except for when it can be demonstrated to enable a specific, real-world attack with measurable security impact. Proof-of-concept code is absolutely required.
• Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
• CSRF on forms that are available to anonymous users (e.g. contact forms).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser 'autocomplete' or 'save password'.
• SSL weaknesses related to missing certificates, self signed certificates, or any other certificate deficiencies. We expect our customers to supply proper certificates for their units upon deployment.
• Content spoofing.
• Vulnerabilities that have already been addressed in a product update or firmware regardless of whether the update has been applied to the publicly available research machines.
• Submissions regarding product deficiencies, as opposed to product vulnerabilities (see below)

Note regarding vulnerabilities in our common platform

The Barracuda appliance family of products is built on a common platform and framework. A vulnerability found in one product may therefore exist in others. When determining bounty awards, we will grant a single award that accounts for the impact to all affected products.

Note regarding our public test network

Researchers have full administrative access to the web interface of the units using the following credentials:

            Username:         admin
            Password:         password (archiver, spam)
            Password:         bugcrowd (firewall, sslvpn, adc, webfilter)

An automated process periodically resets the appliances to a known starting state to undo changes made by researchers. The reset process may be initiated without warning and Barracuda cannot guarantee that work will not be lost in the process.

Barracuda Networks requests that researchers respect the efforts of other researchers and not intentionally break the units. We reserve the right to ban traffic from IPs detected abusing the network and interfering with the normal operation of the program machines.

Units on this testing network have TCP 31337 open outbound for POC purposes. All other outbound ports are filtered.

Note regarding product deficiencies

The program relates to security vulnerabilities in the products. Deficiencies in product functionality are excluded. This includes but is not limited to:

• Bypasses for the default set of signatures in the Barracuda Web Application Firewall - for example, XSS or SQL Injection signatures
• Bypasses for content filtering as applied to email or web filtering
• Inaccuracies in content categorization for web filtering
• Bypasses for anti-virus in email or web filtering

Note from our legal team

This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. Barracuda Networks strictly complies with US export laws and regulations. Persons and entities in countries embargoed by the US government or denied from accessing US technology are prohibited from accessing Barracuda Networks systems and participating in this program. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. The decision of Barracuda Networks is final and non-appealable. This offer is void where prohibited by law and in participating, you must not violate any law. You also must not disrupt any service or compromise anyone's data.

Thank you for your interest in the Barracuda Security Bug Bounty Program and for helping Barracuda Networks make our products more secure.