Dell Technologies Web Properties Vulnerability Disclosure Program

Dell Technologies ("Dell") recognizes the value of the security community to create a more secure world and welcomes the opportunity to collaborate with community members who share this common goal.

This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Dell's public online footprint. Please carefully review the inclusions and exclusions detailed in the sections below.

Note: Dell products are excluded from this program. All vulnerabilities affecting Dell and Dell EMC products should be reported to the Dell Product Security Incident Response Team (Dell PSIRT). The Dell Vulnerability Response Policy provides information on how to report product focused vulnerabilities.

As of September 1, 2020, RSA is no longer a part of Dell Technologies. To report a vulnerability on RSA products or applications, please refer to the RSA Policy. For any additional questions on existing RSA knowledge base articles or advisories, please contact RSA Community.

Rewards/Ratings:

This program awards points for valid in-scope submissions. This program does not provide monetary rewards.

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher. Please see below for any exceptions from the standard VRT.

For submissions regarding GitHub Credentials, all findings will be initially rated as a P5. Once the finding has been determined to have a real impact, it will be upgraded accordingly. Remember, it is beneficial to include the sensitive information in your finding along with the link to help speed up the validation process.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Dell not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please send the report to support@bugcrowd.com.

Target Information

As of September 1, 2020, RSA is no longer a part of Dell Technologies. To report a vulnerability on RSA products or applications, please contact RSA. For any additional questions on existing RSA knowledge base articles or advisories, please visit https://community.rsa.com/

Web Applications:

All URLs listed in the In scope Targets section above are publicly accessible web applications. Researchers are invited to test all aspects of these applications. Please note: no credentials will be provided for testing.

Dell EMC Mobile Applications are publicly available on iOS and Android app stores.

• You can find the Dell EMC E-Lab Navigator (iOS) here.
• You can find the Dell EMC E-Lab Navigator (Android) here.

Focus Areas

We are looking for any vulnerability that could negatively affect the security of our company and our customers. The main categories of vulnerabilities that we look for are the following:

• Cross-site Scripting (XSS)
• Cross-site Request Forgery
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Remote Code Execution (RCE)
• XML External Entity Injection (XXE) with significant impact
• Access Control Issues
• Authentication Bypass Issues
• Authorization Flaws
• Privilege Escalation
• Directory Traversal Issues
• Sensitive Information Disclosure
• Data Exposure
  
• Business Logic Vulnerabilities

Excluded Submission Types  

This program follows the Bugcrowd Vulnerability Rating Taxonomy with some additional submission types we consider to be excluded below. Dell will not reward points for the following (including but not limited to) submission types: 

• Denial of service (DoS) attacks
• Findings as reported by automated tools without additional analysis as to how and what is vulnerable
• Open ports without an accompanying proof-of-concept (POC) demonstrating a vulnerability
  
• Vulnerabilities only affecting users of outdated or unpatched browsers
• Spam reports
  
• Phishing and social engineering reports
  
• Reports for credential and token leaks found in third party sites will not be accepted without strong evidence that the data is valid. The reports will also need to provide strong evidence that the leaked data is owned by Dell.
• XSS on the https://www.dell.com/Identity/global/* target

Program Rules

Legal Terms:

• By participating in this VDP, you agree to be bound to the terms of this program brief (“Dell Terms & Conditions”).
• These terms constitute the entire agreement between you and Dell, and are governed by Texas law. Any changes to these terms must be in writing.
• The intent of this VDP is to encourage coordinated disclosure between you and Dell. Unless required by federal law or local law enforcement, Dell does not intend to pursue litigation against research and disclosure that meets the Dell Terms & Conditions.
• If legal action is initiated by a third party against you relative to the VDP and you are in full compliance with the Dell Terms & Conditions, Dell may at its sole discretion take reasonable steps to help make it known that your actions were conducted in compliance with this program.
• Dell will not publicly disclose the identity of any reporter without their consent, except where required by law.
• Dell reserves the right to change or modify the Dell Terms & Conditions at any time. Please check for any updates to this program brief before creating a new submission.
• By participating in this VDP program you waive any rights to the confidentiality of the submitted work and, further, you agree to grant Dell an irrevocable, worldwide, royalty-free, perpetual and transferable license to use the submitted research, disclosure and materials and you waive any claims against Dell based on Dell’s license or the rights granted.

Disclosure:

• This VDP requires explicit permission from Dell to disclose the results of a submission.
• Public disclosures made without Dell’s written permission will make the reporter ineligible for future participation in this or other disclosure or bug bounty programs by Dell.
• Rewards will not be given for submissions which are publicly disclosed without written permission from Dell.

Rewards:

• This VDP does not offer rewards for out-of-scope targets and excluded submission types.
• Dell will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
• If multiple reports are received for the same issue the reward will be awarded to the earliest report with enough information to reproduce. Dell will not offer rewards for previously known issues. Dell determines duplicates at its sole discretion and will not share details on other reports.
• Identical issues across different production and non-production environment counterparts will be considered duplicates.
• Identical issues across different sub domains that share code will be considered duplicates.
• Only reporters with valid submissions will be listed on the Dell Hall of Fame. Dell will not publish a Hall of Fame separate from Bugcrowd’s.

Testing:

• Use only your assigned account for testing purposes. Do not attempt to gain access to another user’s accounts or compromise any user or Dell confidential information.
• Testing must not violate any applicable laws or regulations or disrupt or compromise any data that is not your own. If you inadvertently cause a violation or disruption (such as accessing the data of other users, service configurations, or other confidential information) while testing, please report the incident immediately to secure@dell.com. Any data accessed during your testing must not be used, disclosed, stored, or recorded in any way.
• Do not exploit a vulnerability you discover beyond what is needed to obtain the proof of concept.
• Automated vulnerability scanning tools are strictly prohibited as part of this and any other Dell program.
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks are strictly prohibited as part of this and any other Dell program.

Eligibility

You are not eligible to participate in program if you are:

• A current employee of Dell or a Dell subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
• A contingent staff member, contractor or vendor employee currently working with Dell.
• A former employee or contractor of Dell who was involved in the development or testing of the Dell web property or application listed in the target section.
• Located in a non-United States export/trade sanction country.

If you find a vulnerability that is not in the scope of this VDP, please send the report to secure@dell.com.