Bug Bounty Program
Earthlink looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Rewards
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines,
and reward decisions are up to the discretion of Earthlink.
9.0 - 10.0
$2000
8.0 - 8.9
$1000
7.0 - 7.9
$750
5.0 - 6.9
$500
4.0 - 4.9
$300
0.1 - 3.9
$250
Disclosure Policy
- let us know as soon as possible upon discovery of a potential security issue.
- Respect privacy. Make a good faith effort not to access or destroy users data.
- Be patient. Make a good faith effort to clarify and answer all Earthlink’s questions and inquiries.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities.
- Be cautious. During your research, if you think a test that you have to make will have a great impact on service or data integrity (data may be corrupted or completely destroyed), then you will need to inform Earthlink Security team in advance, and work with them to get specific approval and mitigate any potential damage that may occur.
Program Rules
-
Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue,
the issue will not be eligible for a reward - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
-
When duplicates occur, we only award the first report that was received (provided that it
can be fully reproduced and meets all other requirements). - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Only interact with accounts you own or with explicit permission of the account holder.
Program Scope
- Remote Code Execution
- SQL Injection
- Unrestricted File System Access
- Significant Authentication / Authorization Bypass
- Cross-Site Scripting (excluding self-XSS)
- Cross-Site Request Forgery on critical actions (such as changing username/password)
- Any vulnerability that affects our users/servers
- DoS attacks
Out of scope vulnerabilities
- CSRF on forms that are available to anonymous users (e.g. Contact Forms)
- Self-XSS or XSS bugs requiring an unlikely amount of user interaction
- Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Reports of spam, phishing or security best practices
- Tabnabbing
- Email configuration issues (SPF, DKIM, DMARC)
- Weak Captcha / Captcha Bypass
- Forced Login / Logout CSRF
- DDoS attacks
- Spreading malware/virus into our network
- Social engineering (e.g. phishing, vishing, smishing)