Program Scope

Includes previously unknown security and privacy issues in the following products:

  • Bright Data website - https://brightdata.com
  • Bright Data partner SDK (latest version)
Any design or implementation issue that affects the confidentiality or integrity of customer or SDK user data is likely to be in scope for the program.
Common examples include:
  • Cross-Site Scripting
  • Cross-Site Request Forgery - CSRF/ XSRF
  • Authentication or Authorization flaws
  • Remote Code Execution - Servers
  • Remote Code Execution - SDK
  • Access of internal company web pages via installed SDK
Qualifying vulnerabilities
  • Do NOT attempt any DoS attacks, it's not helpful at all
  • Do NOT use any testing tools that automatically generate large volumes of traffic, this will automatically disqualify you from all bug bounties
  • Do NOT try to hack real customer accounts, keeping the privacy and security of our customers is important, use your own accounts
  • Minor UI/UX bugs - we are always happy to hear from you about things we can improve but we don't have rewards for bugs that are not vulnerabilities
  • Previuosly reported issues - the first report to clearly demonstrate an issue gets the reward
Out of Scope
IMPORTANT: Not making a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research will automatically disqualify you from all bug bounties.

Rewards

Up to$300
  • Web: Cross-site scripting
  • Web: CSRF Clickjacking
  • Security related misconfiguration on production server or client software
  • Help us keep our network safer by reporting on a misused Bright Data account on the web
Up to$1000
  • Remote code execution on an SDK user
  • Data extraction from a production server
  • Access control issue which exposes Personally Identifiable Information
  • Access control issue which allows viewing/controlling another customer's account
Up to$2000
  • Remote code execution on production server
  • Significant authentication bypass on production server containing critical information
Any rewards that are unclaimed after 2 months will be canceled.
The final reward is always chosen at the discretion of the team investigating the issue. We may decide to pay higher rewards for unusually severe security issues, decide to pay lower rewards for vulnerabilities with a very low likelihood to occur, decide that a single report actually consists of several bugs, or that several reports are actually the same issue.

Reporting bugs

Any additional information - network data, usage examples, specs or videos are all welcome. Report should be submitted in English.

  • Overview: Short technical description
  • Proof Of Concept: Detailed steps on how to reproduce the vulnerability
  • Impact: Explanation of how the attack could be executed in a real world scenario
  • Suggested Fix: how this vulnerability should be addressed
  • Allowed file extensions as attachment: .jpg, .png, .gif, .txt, .csv, .wav, .mp4, .webm, .flv, .ogg, .wmv or link to the uploaded file in cloud storage

Bounty Payments

Bounty payments are subject to the following restrictions:

  • Minors are welcome to participate in the program. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
  • All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
  • It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.