Bright Data is constantly on the lookout for security vulnerabilities in order to safeguard the privacy and security of our customers, SDK partners and their users. If you have found a security or privacy issue in any of our products we'll be very interested in hearing about it and working with you to resolve it.
Includes previously unknown security and privacy issues in the following products:
Bright Data website - https://brightdata.com
Bright Data partner SDK (latest version)
Any design or implementation issue that affects the confidentiality or integrity of customer or SDK user data is likely to be in scope for the program. Common examples include:
Cross-Site Request Forgery - CSRF/ XSRF
Authentication or Authorization flaws
Remote Code Execution - Servers
Remote Code Execution - SDK
Access of internal company web pages via installed SDK
Do NOT attempt any DoS attacks, it's not helpful at all
Do NOT use any testing tools that automatically generate large volumes of traffic, this will automatically disqualify you from all bug bounties
Do NOT try to hack real customer accounts, keeping the privacy and security of our customers is important, use your own accounts
Minor UI/UX bugs - we are always happy to hear from you about things we can improve but we don't have rewards for bugs that are not vulnerabilities
Previuosly reported issues - the first report to clearly demonstrate an issue gets the reward
Out of Scope
IMPORTANT: Not making a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research will automatically disqualify you from all bug bounties.
Web: Cross-site scripting
Web: CSRF Clickjacking
Security related misconfiguration on production server or client software
Help us keep our network safer by reporting on a misused Bright Data account on the web
Remote code execution on an SDK user
Data extraction from a production server
Access control issue which exposes Personally Identifiable Information
Access control issue which allows viewing/controlling another customer's account
Remote code execution on production server
Significant authentication bypass on production server containing critical information
Any rewards that are unclaimed after 2 months will be canceled.
The final reward is always chosen at the discretion of the team investigating the issue. We may decide to pay higher rewards for unusually severe security issues, decide to pay lower rewards for vulnerabilities with a very low likelihood to occur, decide that a single report actually consists of several bugs, or that several reports are actually the same issue.
Any additional information - network data, usage examples, specs or videos are all welcome. Report should be submitted in English.
Overview: Short technical description
Proof Of Concept: Detailed steps on how to reproduce the vulnerability
Impact: Explanation of how the attack could be executed in a real world scenario
Suggested Fix: how this vulnerability should be addressed
Allowed file extensions as attachment: .jpg, .png, .gif, .txt, .csv, .wav, .mp4, .webm, .flv, .ogg, .wmv or link to the uploaded file in cloud storage
Bounty payments are subject to the following restrictions:
Minors are welcome to participate in the program. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.