Dell Technologies Web Properties Vulnerability Disclosure Program
Dell Technologies ("Dell") recognizes the value of the security community to create a more secure world and welcomes the opportunity to collaborate with community members who share this common goal.
This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Dell's public online footprint. Please carefully review the inclusions and exclusions detailed in the sections below.
Note: Dell products are excluded from this program. All vulnerabilities affecting Dell, Dell EMC and RSA products should be reported via email to the Dell Product Security Incident Response Team (Dell PSIRT) at firstname.lastname@example.org. See here for more information.
This program awards points for valid in-scope submissions. This program does not provide monetary rewards.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher. Please see below for any exceptions from the standard VRT.
For submissions regarding GitHub Credentials, all findings will be initially rated as a P5. Once the finding has been determined to have a real impact, it will be upgraded accordingly. Remember, it is beneficial to include the sensitive information in your finding along with the link to help speed up the validation process.
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Dell not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please send the report to email@example.com.
All URLs listed in the
In scope Targets section above are publicly accessible web applications. Researchers are invited to test all aspects of these applications. Please note: no credentials will be provided for testing.
RSA Conference Mobile Applications:
- You can find the RSA Conference Multi-Event Application (Android) here. Please note only this version of the application is in scope.
- You can find the RSA Conference Multi-Event Application (iOS) here. Please note only this version of the application is in scope.
Dell EMC Mobile Applications are publicly available on iOS and Android app stores.
- You can find the Dell EMC E-Lab Navigator (iOS) here.
- You can find the Dell EMC E-Lab Navigator (Android) here.
We are looking for any vulnerability that could negatively affect the security of our company and our customers. The main categories of vulnerabilities that we look for are the following:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Injection (XXE) with significant impact
- Access Control Issues
- Authentication Bypass Issues
- Authorization Flaws
- Privilege Escalation
- Directory Traversal Issues
- Sensitive Information Disclosure
- Data Exposure
- Business Logic Vulnerabilities
Excluded Submission Types
This program follows the Bugcrowd Vulnerability Rating Taxonomy with some additional submission types we consider to be excluded below. Dell will not reward points for the following (including but not limited to) submission types:
- Denial of service (DoS) attacks
- Findings as reported by automated tools without additional analysis as to how and what is vulnerable
- Open ports without an accompanying proof-of-concept (POC) demonstrating a vulnerability
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Spam reports
- Phishing and social engineering reports
- The intent of this program is to encourage coordinated disclosure. Unless required by federal law or local law enforcement, Dell does not intend to pursue litigation against research and disclosure that meet program rules.
- If legal action is initiated by a third party against you relative to this program and you are in full compliance with the program rules, Dell may at its sole discretion take reasonable steps to help make it known that your actions were conducted in compliance with this program.
- This program requires explicit permission from Dell to disclose the results of a submission.
- Reward points will not be awarded for submissions which are publicly disclosed without explicit permission from Dell.
- Public disclosures made without Dell's permission will make the reporter ineligible for future participation in this or other disclosure or Bug Bounty programs offered by Dell.
- Dell will not negotiate in response to duress or threats (e.g., we will not negotiate rewards under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
- This program does not offer reward points for out-of-scope targets or excluded submission types (see 'Targets' and 'Excluded Submission Types' sections above).
- If multiple reports are received for the same issue, reward points will be awarded to the earliest report with enough information to reproduce the issue. We will not offer reward points for previously known issues. Dell determines duplicates and cannot share details on other reports.
- Identical issues across different production and non-production environment counterparts will be considered duplicates.
- Identical issues across different sub domains that share code will be considered duplicates.
- Only reporters with points will be listed on the Hall of Fame section of this program. Dell will not publish or maintain a separate Hall of Fame list as part of this program.
- Use your own account for testing purposes. Do not attempt to gain access to another user’s accounts or compromise any user or Dell confidential information.
- Testing must not violate any applicable laws or regulations or disrupt or compromise any data that is not your own. If you inadvertently cause a violation or disruption (such as accessing the data of other users, service configurations, or other confidential information) while testing, please report the incident immediately to firstname.lastname@example.org.
- Dell will not publicly disclose the identity of any reporter without consent, except where required by law.
- Please check domain records to confirm Dell ownership; avoid testing of assets not owned and controlled by Dell.
- Do not exploit a vulnerability you discover beyond what is needed to obtain POC.
- Automated vulnerability scanning tools are strictly prohibited.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks are strictly prohibited.
- Dell reserves the right to change or modify the terms of this program at any time. Please check for any updates to this program before making a new submission.
- By participating in this program, researcher waives rights to the confidentiality of the submitted work and, further, grants Dell an irrevocable, worldwide, royalty-free, perpetual and transferable license to use the submitted research, disclosure and materials and waives claims against Dell based on Dell's license or the rights granted.
You are not eligible to participate in this program if you are:
- A current employee of Dell Technologies (including a Dell subsidiary) or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member, contractor, or vendor employee currently working with Dell.
- A former employee or contractor of Dell who was involved in the development or testing of a Dell web property listed as a target in this program.
Note: If you find a vulnerability that is not in the scope of this program, please send the report to email@example.com.