Appliances - Barracuda Networks, Inc.

Trusted Planet-Wide

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd
Submit report

Program stats

124 vulnerabilities rewarded

Validation within about 1 month
75% of submissions are accepted or rejected within about 1 month

Latest hall of famers

View all 93

Recently joined this program

338 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

As a creator of technologies and products that help businesses protect their resources and users, Barracuda Networks continuously focuses on improving the security of our products.

Targets

In scope

Target name Type
Barracuda Email Security Gateway Other
Barracuda Message Archiver Other
Barracuda Web Security Gateway Other
Barracuda Web Application Firewall Other
Barracuda CloudGen Firewall Other
Barracuda Firewall Other
Barracuda SSLVPN Other
Barracuda ADC Other

We encourage researchers to perform testing using their own appliances.

Out of Scope:

All Barracuda Networks, Inc. systems and services not listed above are explicitly excluded from the program. This includes, but is not limited to, our websites, infrastructure, and cloud services. Any researcher seeking to perform vulnerability testing upon excluded systems must have prior written consent from the Senior Director of Information Security at Barracuda Networks, Inc. and should be requested through established Bugcrowd communication channels. We may legally pursue researchers conducting vulnerability testing on excluded systems without prior written consent.

Documentation and User's Guides can be found at:

The following bug classes will be considered for bounty awards:

  • Unauthenticated bugs that lead to code execution or authentication bypass.
  • Datapath bugs that lead to code execution or authentication bypass.
  • Unauthenticated disclosure of highly sensitive information.

In addition to those bugs excluded by Bugcrowd's standard disclosure terms, the following finding types are specifically excluded from the receiving Kudos:

  • Descriptive error messages (e.g. Stack Traces, application or server errors) except for where they can be demonstrated to enable a specific, real-world attack with measurable security impact.
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking except for when it can be demonstrated to enable a specific, real-world attack with measurable security impact. Proof-of-concept code is absolutely required.
  • Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
  • CSRF on forms that are available to anonymous users (e.g. contact forms).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser 'autocomplete' or 'save password'.
  • SSL weaknesses related to missing certificates, self signed certificates, or any other certificate deficiencies. We expect our customers to supply proper certificates for their units upon deployment.
  • Content spoofing.
  • Vulnerabilities that have already been addressed in a product update or firmware regardless of whether the update has been applied to the publicly available research machines.
  • Submissions regarding product deficiencies, as opposed to product vulnerabilities (see below)

Note regarding vulnerabilities in our common platform

The Barracuda appliance family of products is built on a common platform and framework. A vulnerability found in one product may therefore exist in others. When determining bounty awards, we will grant a single award that accounts for the impact to all affected products.

Note regarding product deficiencies

The program relates to security vulnerabilities in the products. Deficiencies in product functionality are excluded. This includes but is not limited to:

  • Bypasses for the default set of signatures in the Barracuda Web Application Firewall - for example, XSS or SQL Injection signatures
  • Bypasses for content filtering as applied to email or web filtering
  • Inaccuracies in content categorization for web filtering
  • Bypasses for anti-virus in email or web filtering

Note from our legal team

This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. Barracuda Networks strictly complies with US export laws and regulations. Persons and entities in countries embargoed by the US government or denied from accessing US technology are prohibited from accessing Barracuda Networks systems and participating in this program. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. The decision of Barracuda Networks is final and non-appealable. This offer is void where prohibited by law and in participating, you must not violate any law. You also must not disrupt any service or compromise anyone's data.

Thank you for your interest in the Barracuda Security Bug Bounty Program and for helping Barracuda Networks make our products more secure.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.