FireEye Bug Bounty Program

  • $50 – $2,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

84 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$383.89 average payout (last 3 months)

Latest hall of famers

Recently joined this program

295 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Bug Bounty Program

FireEye cares deeply about our products, services, business applications, and infrastructure security. As security researchers ourselves, FireEye understands the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our products and services, there will always be emerging threats, new vulnerabilities, and opportunities to improve. To that end, FireEye believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture.

In the interest of protecting our customers, we provide the public research community the opportunity to engage, report, and receive credit for their work. While engaging with us, we ask that reporters honor responsible disclosure principles and processes and give FireEye an opportunity to evaluate, respond, and if necessary, remediate any confirmed security vulnerabilities prior to public disclosure.

Please do NOT test 'contact us', 'support' forms, or 'report an incident' form as this creates extra work for people at FireEye. For clarity sake, the URLs FireEye requests you NOT to test are below, and are also stated in the 'Out of Scope' Target Section:

  • https://www.fireeye.com/company/incident-response.html
  • https://www.fireeye.com/company/contact-us.html
  • https://engage.fireeye.com/cloudvisibilityworkshop
  • https://ambassadors.fireeye.com

Please self sign up with your @bugcrowdninja.com emails where possible.

Ratings and Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical $1,500 - $2,500
p2 Severe $800 - $1,250
p3 Moderate $200 - $500
p4 Low $50 - $150
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
*.fireeye.com Website Testing
  • jQuery
  • Modernizr
  • Java
  • AWS
  • Adobe Experience Manager
  • Website Testing
*.fireeye.market Website Testing
  • ReactJS
  • Amazon S3
  • Website Testing
*.fireeye.dev Website Testing
  • ReactJS
  • Gatsby
  • Javascript
  • AWS
  • Amazon S3
  • Amazon Cloudfront
  • Website Testing
*.mandiant.com Website Testing
  • Website Testing
*.verodin.com Website Testing
  • jQuery
  • PHP
  • Website Testing
*.isightpartners.com Website Testing
  • Website Testing
*.flare-on.com Website Testing
  • jQuery
  • Javascript
  • Website Testing
*.fireeyecloud.com Website Testing
  • Website Testing
*.cloudvisory.com Website Testing
  • Website Testing
  • Bootstrap
  • nginx
  • Amazon Cloudfront
Localized FireEye Websites (fireeye.de, fireeye.jp, etc.) Website Testing
  • jQuery
  • Modernizr
  • Java
  • Website Testing
DNS Configuration Issues Website Testing
  • DNS
  • Website Testing

Out of scope

Target name Type
FireEye systems or products in AWS GovCloud Other
Third-party products that may be used by FireEye Other
http://community.fireeye.dev/ Website Testing
*.theemaillaundry.com Website Testing
Systems or vulnerabilities that expose no sensitive data or functionality, such as those used to test or demonstrate FireEye products or services Other
https://www.fireeye.com/company/incident-response.html (Form Submission) Website Testing
https://www.fireeye.com/company/contact-us.html (Form Submission) Website Testing
https://engage.fireeye.com/cloudvisibilityworkshop (Form Submission) Website Testing
Rate Limiting Attacks Website Testing
FireEye Ambassadors Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of FireEye not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to FireEye org, it may be reported to https://www.fireeye.com/company/security.html. However, do be aware that is ineligible for rewards or points-based compensation

Please do not test 'contact us', 'support' forms, as this creates extra work for people at FireEye who are not on the Security Team.

Credentials:

No credentials are provided for this engagement. Please self sign up with your @bugcrowdninja.com emails where possible.

Excluded Finding Types

  • Submissions related to DMARC
  • Missing SPF Records
  • No rate limiting
  • Submissions for 3rd party site partners.fireeye.com
  • Submissions for theemaillaundry.com sites

The above finding types are deemed to be low impact by the FireEye team. While researchers are welcome to submit these reports, they will not be eligible for monetary rewards.

Out of Scope:

  • Social engineering attacks
  • Physical security attacks
  • Denial of service attacks
  • Attacks requiring physical or administrative access to system hosting FireEye product
  • Submitting support tickets, Mandiant Incident Response requests, or anything else that will generate work for FireEye employees outside of the security team
  • FireEye Ambassadors (https://ambassadors.fireeye.com/)

Compliance

To protect our customers, employees, and business, we request security researchers to maintain compliance with this policy. In addition, all research activity must be compliant with the following:

  • Do not perform research on FireEye products licensed, owned, or operated by a FireEye customer without their express permission. For example, if you are an employee of a FireEye customer, you may not use your employer’s FireEye product for security research without clearing it with the relevant management team at your company (such as the CISO or VP of Security)
  • FireEye customers are encouraged to use the FireEye Support Portal to report issues in FireEye products and services.
  • FireEye employees, contractors, and family members of an employee or contractor are not eligible for this bug bounty program.
  • Issues that fall outside of this bug bounty program can be reported to the FireEye Responsible Disclosure Program.

Safe Harbor

We consider research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our license agreements and any Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis, conditioned upon compliance with this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.