Barracuda Networks updates Terms and Conditions of the Bug Bounty Program

Barracuda Networks updates Terms and Conditions of the Bug Bounty Program

Today Barracuda Networks informed all their customers about the following Informations, regarding updates in their Bug Bounty program. Barracuda Labs did some changes to their Bounty Program terms and conditions.

The main updates are in the "what classes of bugs are in scope" section and they're also about to pay an higher bug bounty reward for clean nature and high quality reports.

The highlights of the Barracuda Networks notification includes:

• Clarification on which types of vulnerabilities are eligible for awards and which are not

• Increased bounty awards for especially well written reports

• Updates to the bounty award payment options.

You can find the complete program description here: https://barracudalabs.com/research-resources/bug-bounty-program/

They also updating the organization of our Hall of Fame. With their next update, they are eliminating the Gold, Silver, and Bronze levels in favor of listing our contributors by lifetime bounty award amount and number of reports. With this change, Bounty Hunters & Researchers can expect more timely updates to the listing.

What classes of bug are in scope?

In scope bug types include those that compromise confidentiality, availability, integrity or authentication. For example: remote exploits, privilege escalation, persistent cross site scripting, code execution, command injection. Use of automated testing tools; social engineering; denial of service; physical attacks; attacks against Barracuda Networks’ customers; attacks against Barracuda Networks’ corporate infrastructure or demo servers are specifically excluded from bounty awards and may be violations of local laws.

• Clickjacking and UI Redress Attacks. Not all web or service content which can be included in a third party site is vulnerable to attack. To be considered for an award, reports of clickjacking must demonstrate sensitive content which an attacker can control in this manner.

• Bugs requiring highly unlikely user behavior. For example, a cross-site scripting flaw that requires the victim to authenticate with their appliance or service and then manually enter the attack string. We consider these low priority issues which have negligible impact in a production environment.

• Logout cross-site request forgery. Weaknesses like this may cause a user annoyance but does not pose a significant threat to the confidentiality or integrity of our systems and will probably not be awarded a bounty. Other vendors, such as Google, treat issues of this class the same way that we do.

• Flaws requiring the victim to use out-of-date browsers and plugins. Securing web applications requires clients and services to continuously improve their security posture to meet emerging threats. It is practically impossible for a service to account for weaknesses in all out of date clients.

• Banner/version information. Version information alone does not indicate the presence of a vulnerability and, by itself, will not be awarded a bounty. To receive a bounty, you must include a reference to a known vulnerability in the version you discovered.

• Reports regarding websites/service Barracuda does not own. We cannot accept responsibility for vulnerabilities reported against domains like barracuda.com.tw which do not belong to us. Before sending us information about a website, please confirm that it does, in fact, belong to us.

• Reports against product blogs/websites. Some of our products have websites associated with them (for example, www.cudatel.com). As stated above, only the products themselves are in the scope of the program. We are happy to know of issues with our web properties and we will fix them but they are excluded from the bounty award consideration process.

Source: 
https://barracudalabs.com/research-resources/bug-bounty-program/
https://www.barracuda.com/
https://barracudalabs.com/