Welcome to the AT&T Bug Bounty Program! This program encourages and rewards contributions by developers and security researchers who help make AT&T's online environment more secure. Through this program AT&T provides monetary rewards and/or public recognition for security vulnerabilities responsibly disclosed to us.
The AT&T Bug Bounty Program applies to security vulnerabilities found within AT&T's public-facing online environment. This includes, but is not limited to, AT&T’s websites, exposed APIs, mobile applications, and devices.
A security bug is an error, flaw, mistake, failure, or fault in a computer program or system that impacts the security of a device, system, network, or data. Any security bug may be considered for this program; however, it must be a new, previously unreported, vulnerability in order to be eligible for reward or recognition. Typically the in-scope submissions will include high impact bugs; however, any vulnerability that could realistically place the online security of AT&T, our customers, or the public at large at risk is in scope and might be rewarded.
Bugs which directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when "qualifying" bugs include those that:
Directly or indirectly affect the confidentiality or integrity of user data or privacy
Compromise the integrity of the system
Enable unauthorized access to significant data or resources
Enable the running of unauthorized code
Increase privileges or access beyond that which is intended
Interfere with or bypass security controls or mechanisms
Are exploitable (i.e. not purely theoretical)
Can be launched remotely
Could cause damage to a user's system
AT&T Bug Bounty Program Board members, at their sole discretion, determine which bugs are considered as candidates for a reward, as well as the final reward recipients. See the Awarding Process for further details.
There are categories of bugs which are definitively excluded from reward in the AT&T Bug Bounty Program:
Attacks against AT&T infrastructure
Social engineering and physical attacks
Distributed Denial of Service attacks that require large volumes of data
Provisioning and/or usability issues
Violations of licenses or other restrictions applicable to any vendor's product
Security bugs in third-party products or websites that are not under AT&T’s direct control
Duplicate reports of security issues, including security issues that have already been identified internally
Tenant/cloud systems executing in an Internet Data Center (IDC), where AT&T is simply acting as the site host
Employee Resource Group (ERG) websites
Clickjacking reports against unauthenticated pages and/or static content resources
Reports of missing SPF records for domains with no MX record
Vulnerabilities that are a result of malware
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
Issues determined to be low impact may be excluded
In addition, the submitter:
Must not be the author of the code with the vulnerability
Must not be employed by AT&T directly or indirectly
Vulnerabilities that are disclosed to any party other than AT&T, including vulnerability brokers, will usually not qualify for Bug Bounty reward. This includes both full public disclosure and limited private release.
There are constraints on who may participate in the AT&T Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.
The parties to this agreement are you and AT&T Services.
"AT&T Services" refers to AT&T Services, Inc., and "AT&T" refers to AT&T Services and its affiliates.
You must abide by the law.
AT&T employees, contractors, and their families are not eligible for rewards.
Please submit your report as soon as you have discovered a potential vulnerability. By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than AT&T via the AT&T Bug Bounty Process. Absent AT&T's prior written consent, any disclosure outside of this process would violate this Agreement. It is understood and agreed that money damages would not be a sufficient remedy for any breach of this paragraph by you or your representative(s) and that AT&T shall be entitled to specific performance as a remedy for any such breach, including injunctive relief. Such remedy shall not be deemed to be the exclusive remedy for any such breach but shall be in addition to all other remedies available at law or equity to AT&T.
Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of AT&T.
By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting AT&T a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that AT&T had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of AT&T.
The Program is focused predominantly on: Internet-facing AT&T websites executing on internet domains that provide significant business value to AT&T, and are supported directly by AT&T and its suppliers; AT&T-branded mobile applications; AT&T-branded devices; and the AT&T API Platform. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Program.
You are responsible for all taxes associated with and imposed on any reward you may receive from AT&T Services. You must submit to AT&T Services, prior to a reward payment being processed, a valid Form W-8BEN, W-8BEN-E, W-8ECI, W-8EXP, W-8IMY, or W-9 (or any successor form prescribed by the IRS). If you are not a US national, you must also submit to AT&T Services, prior to a reward payment being processed, a completed Foreign Vendor Questionnaire. AT&T may reduce any reward by the amount of any tax imposed on you that AT&T is required to pay directly to a taxing or other governmental authority. Reward payments are made via EFT (domestic) or SWIFT (international) so appropriate routing and/or SWIFT account information along with documented banking information for the account funds are being transferred to must be submitted to AT&T Services prior to a reward payment being processed. Payments may also be processed via PayPal, however you will be responsible for all fees associated with this service.
You are responsible for notifying AT&T of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
You have 60 days from the date of initial notification to respond to Bounty Award notifications and provide completed tax forms. Failure to respond within 60 days will lead to the forfeiture of Bounty Awards.
AT&T Services reserves the right to discontinue the Program at any time without notice.
If you or your bank are on a sanctions lists or are in a country on a sanctions list (e.g. Cuba, Iran, North Korea, Sudan and Syria), then you are ineligible to receive a reward payment.
You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
Your testing activities must not negatively impact AT&T, or AT&T's online environment availability or performance.
AT&T reserves the right of non-remediation at its sole discretion.
This agreement constitutes the entire agreement of the parties with respect to the items listed above. This agreement may be amended or modified only by a subsequent agreement in writing.
If any portion of this agreement is found to be illegal or unenforceable, then the parties shall be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.