What's eligible for AT&T Bug Bounty?
Pretty much any security exposure on AT&T’s IP footprint is eligible for program recognition. We’re not just considering websites -- mobile/tablet apps and connected devices are included too!
What types of issues will be considered as part of the AT&T Bug Bounty program?
Anything that could realistically place the online security of AT&T or our customers at risk will be considered. We are, however, particularly interested in vulnerabilities that could expose customer or enterprise data.
There are a few exclusions which can be found on the AT&T Bug Bounty Website. Please read our terms/conditions, and if you have any questions send us a note at firstname.lastname@example.org.
You fixed my bug...where's my bounty?
We do not pay bounties on an individual basis at this time. Instead, AT&T provides monetary awards on a quarterly basis to the security researchers determined to be the Top 25 reporters. Only original reports are considered; duplicate reports do not qualify for Top 25 OR Hall of Fame recognition.
The Top 25 award notification & publication schedule is as follows:
||Top 25 Published
|1Q: January - March
|2Q: April - June
|3Q: July - September
|4Q: October - December
How can I increase my chances of getting an AT&T Bug Bounty "Top 25" award?
Typically we consider the severity of the bug, ease of exploit, and prominence of the site(s) or apps included in all remediated reports from a security researcher. This process is designed to recognize the most significant and impactful contributions.
Submissions that clearly articulate how the vulnerability leads to a compromise of customer or enterprise data or accounts, as well those that prove the existence of remote command execution vulnerability, are typically preferred for inclusion in our Top 25.
Less severe issues or bugs that require multiple or unusual steps on the part of a potential victim (such as installing a browser plug-in) may be included in our Hall of Fame, but usually don’t result in significant bounties.
Tip: Well written reports are a definite plus!
What makes up a well written report?
- Be clear as to what URL, app, or device is vulnerable.
- Provide a clear description of the bug you are reporting.
- Let us know how you found the bug, why you think it's a security risk, and provide step-by-step instructions on how to reproduce it.
- Include a clear description of how the exposure might be exploited by an attacker. Be brief and to the point.
- You can include a screenshot or video with your report, but make sure you do it from our website. If you include a video make sure it is clear (not grainy), brief, to the point. Note that there are file size limitations on bug report attachments.
- Report only one issue per submission.
- Do not violate our customer's privacy! If you detect a behavior indicating data leakage, or any other security exposure, report it! Let us know WHY you think it's an exposure and we'll check into it.
- Don’t report multiple URLs/sites in a single report.
- Don’t upload videos to YouTube or other file sharing services.
- Don't simply send us a URL with "click this" as the description.
- Don't rely solely on a screenshot or a video; make sure you provide all appropriate information in your report.
What are these Bug Badges?
Bug Badges - The purpose of bug
badges is to provide researchers with another form of incentive to submit
vulnerabilities. This program gives the researcher an achievement
status based on valid and closed reports in a calendar year.
5 to 24 points
- 5 valid, closed reports within a calendar year, a new icon for that reporter will be displayed indicating achievement of Bronze-level reporting status
25 to 49 points
- 25 valid, closed reports within a calendar year, a new icon for that reporter will be displayed (replacing the previous icon) indicating achievement of Silver-level reporting status
50 points +
- 50 valid, closed reports within a calendar year, a new icon for that reporter will be displayed (replacing the previous icon) indicating achievement of Gold-level reporting status
What's taking so long to remediate my reported issue?
We take your reports seriously and do our best to address issues as quickly possible. Depending on the specific issue, it can take anywhere from a few hours to several months for a fix to be implemented.
Practical realities, such as the complexity of the environment and other priorities can all impact our responsiveness. There are also times when we may elect to defer remediation due to pending site upgrades and other such factors.
Why do you not respond to my request for information?
Our apologies, but we get a lot of questions and just do not have the staff to respond to individual requests for information. Be assured, however, that we are working on ways to communicate better and more efficiently in the future.
Thanks for your understanding!
I want to point to my success detecting security issues on your site to future employers but Section 5 seems to prevent me from doing that. What can I do?
Please drop us a note at email@example.com. We’re happy to support disclosure and make sure you get credit from other organizations for your work once we’re sure our customers are not at risk. Our goal is simply to address vulnerabilities before publication so that we don’t have bad people reproducing your work for malicious ends.
What do you mean by "duplicate" submission...and why didn't you tell me when I first submitted the report?
We consider any submission reporting a security vulnerability that was already know to us, either because of a previous bug bounty report or because we had already detected it ourselves, as a duplicate submission.
In order to best protect our customers, AT&T’s policy is to hold back on making any notifications on duplicate report conditions until we have remediated the potential exposure.
Why was my report of "Unvalidated Redirects and Forwards" rejected?
When testing our environment for open redirects keep in mind that AT&T operates at a very large scale. Avoid using redirects to domains of common web-based service providers such as Yahoo!, Twitter, or Facebook, in your proof-of-vulnerability analysis.