Twilio

Out of Scope

• All Third party hosted services, such as support.twilio.com are explicitly out of scope.
• Ytica and its assets are explicitly out of scope.

Ground Rules

• Once a vulnerability is found please file a submission immediately. Our security team will investigate and assess the impact.
• Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.
• Interacting with real customers is forbidden.
• To prevent being locked out please throttle automated testing
• Please note, if you think you have found a problem but cannot prove it without accessing Twilio's Internal Systems, please submit your finding and we'll be happy to work with you for validation.

Focus Areas

• Authy
  • API (Researchers should use trial accounts to test the API)
  • All Authy applications (iOS, Android, Chrome App, OSx and Windows)
  • Researchers are encouraged to create accounts with our service as part of testing
• SIP Endoint
  • www.twilio.com/user/account/sip-trunking/trunks/add
• SIP Endpoint
  • www.twilio.com/docs/sip
• Video
  • Once account is created you can access and enable video here: www.twilio.com/user/account/video/getting-started
• Twilio WebRTC Client
  • www.twilio.com/help/faw/twilio-client
  • Researchers should use trial accounts (as above) to test WebRTC Client and backend
• Lookups API
  • www.twilio.com/docs/api/rest/lookups
• Monitor API
  • www.twilio.com/docs/api/rest/monitor-events
• Pricing API
  • www.twilio.com/docs/api/rest/pricing
• Network Traversal Service
  • www.twilio.com/docs/stun-turn
• TaskRouter
  • taskrouter.twilio.com
• API
  • api.twilio.com
  • Researchers should use trial accounts (as above) to test API
• Website and Account Portal
  • www.twilio.com
  • Researchers are encouraged to create accounts with our service as part of testing
• Any Host verified to be owned by Twilio (domains / IP Space/ etc)

Exclusions

• "Session too long," password reset/change logout or other intended business functionality
• Flaws in customer applications or SDK code
• Best practice security headers (Including Cross-Origin Resource and Host header issues) Rules
• Bounties are awarded at the discretion of the Twilio Security Team
• You must not interact or attempt to access any account without the account owner's permission
• Multiple bounties will not be awarded for variations or multiple instances of the same bug
• Duplicate entries will only be awarded to the first submission
• WordPress related findings
• TwimlBin related findings
• store.twilio.com
• Flash findings that require Flash to be enabled (especially XSS requiring extra clicks in modern browsers) will be P4 or P5 depending on the domain
• OpenVBX related findings
• BeepSend Subdomain Takeovers [Temporary Exclusion]
• Subdomain takeovers of TLD's used for demo or test purposes only [such as companyfoo.com]
• Demo websites e.g. lab.authy.com
• All Kurento domains
• twiliotraining.com

This bounty follows Bugcrowd’s Standard Disclosure Terms.