- $100 – $10,000 per vulnerability
Verisign Responsible Disclosure Program Terms:
We appreciate security researchers who help us keep Verisign employees and systems secure by reporting vulnerabilities in our services or infrastructure. Researchers who report such vulnerabilities may receive monetary bounties subject to the terms and conditions outlined below. To qualify for a bounty, researchers must meet the following requirements:
- You must adhere to our Responsible Disclosure Policy (see below).
- Your report must address one of the in-scope Targets listed under “Bug Bounty Program Scope" and must identify an eligible vulnerability (see below).
- We specifically exclude certain targets as out-of-scope and certain security issues as ineligible (see below).
- You should provide sufficient proof of the vulnerability, such as a written description of the vulnerability or a screenshot demonstrating its existence.
- You agree to convey any and all intellectual property rights arising from or relating to each vulnerability you provide under Verisign's Program Brief.
- If you inadvertently access account data, service configurations, or other confidential information (collectively “Data") while investigating an issue, you are prohibited from saving, storing, transferring or otherwise further accessing any and all such Data after discovery.
In turn, we follow these guidelines when evaluating reports under our bug bounty program:
- We investigate all reports and respond to all reports relating to in-scope targets and eligible vulnerabilities. Due to the volume of reports we receive, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. You can find further information in our Rewards Guidelines below.
- We generally pay similar amounts for similar issues, but bounty amounts and qualifying issues may change over time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports addressing the same vulnerability, we award a bounty to the first person to report an issue with sufficient proof.
- We reserve the right to publish reports (and accompanying updates).
- We may post a list of researchers who have submitted valid security reports. If you receive a bounty for discovery of a vulnerability, you are eligible to be included in this list, but you may opt not to be included if you wish. We reserve the right to limit or modify the information accompanying your name in the list.
- [Bugcrowd] verifies that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
- Verisign employees and their immediate family are not eligible to participate.
Verisign Responsible Disclosure Policy:
Verisign expressly authorizes researching and reporting security issues in a manner that complies with the policies below, and, Verisign will not initiate a lawsuit against you or seek any law enforcement investigation against you in response to such authorized research and reports. We require that:
- You make a good faith effort to avoid privacy violations and disruptions to others. You specifically should avoid unauthorized access to, or destruction of, data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. Impermissible exploitation includes, but is not limited to, actions intended to demonstrate the potential impact or risk of the vulnerability, such as attempts to compromise sensitive company data or probing for additional issues related to an eligible vulnerability in an in-scope target that exceeds any of the policies addressed here.
- You do not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
You are not authorized to access user data or company data, including (but not limited to) personally identifiable information or other data relating to an identified or identifiable natural person. If you inadvertently access personal or company data while investigating an issue, you are prohibited from saving, storing, transferring or otherwise further accessing any and all such data after discovery.
Bug Bounty Program Scope:
Below is a list of in-scope and out-of-scope servers and websites, and a list of eligible and ineligible vulnerabilities to help guide your research. If you are unsure whether a service or vulnerability will qualify you for a bounty or not, feel free to ask email@example.com.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.