Dell Technologies ("Dell") recognizes the value of the security community to create a more secure world and welcomes the opportunity to collaborate with community members who share this common goal.
This bug bounty program (the “Bug Bounty Program”) is limited to those security vulnerabilities identified within the dell.com and delltechnologies.com pages listed as in scope the Targets section below. Please carefully review inclusions and exclusions detailed in the sections below.
Note: All other Dell products, applications and online properties are excluded from this Bug Bounty Program.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher. Please see below for any exceptions from the standard VRT.
Dell does not accept or make payment for reports of stolen or compromised credentials that are sourced from sanctioned entities, sanctioned individuals, or sanctioned locations. Dell will request affirmation from the researcher that the credentials were not obtained through a source to which the researcher paid money or other consideration.
For submissions regarding GitHub Credentials, all findings will be initially rated as a P5. Once the finding has been determined to have a real impact, it will be upgraded accordingly. Remember, it is beneficial to include the sensitive information in your finding along with the link to help speed up the validation process.
Vulnerabilities in Dell websites and services not explicitly out of scope or explicitly in scope of this program will be rated as a P5.
When reporting an issue to this program, please be sure to include the following:
- The description, VRT, Target, and Bug URL fields should all be filled in.
- Detailed replication steps (how to replicate this issue - in a step by step manner that could be followed by even non security-involved persons)
- A real-world exploit scenario (elaborate on WHAT an attacker could do with this vulnerability, and HOW they would go about doing so - please do not deal in extreme hypotheticals - e.g. those that would require the intervention of a nation-state, etc)
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.