Welcome to the AT&T Bug Bounty Program! We now use a pay per vulnerability model and utilize the HackerOne platform! The Program encourages and rewards contributions by developers and security researchers who help make AT&T's public-facing online environment more secure. Through the Program AT&T provides monetary rewards and/or public recognition for security vulnerabilities responsibly disclosed to us.

The following explains the details of the Program. If you are new to our Program, please be sure to review the Program Guidelines, Program Exclusions, and Terms and Conditions, as well as the Reporting and Payment Process prior to making a submission.

Report Bug

 

Program Guidelines

Program Exclusions

Program Terms and Conditions

Reporting Process

Awarding Process

Change to Program Terms

Frequently Asked Questions

 

Program Guidelines

The Program applies to security vulnerabilities found within AT&T's Environment, which includes, but is not limited to, AT&T’s websites, exposed APIs, mobile applications, and devices. At this time, any vulnerabilities submitted that are specific to WarnerMedia assets, including HBO, are out-of-scope of the AT&T program and are therefore ineligible for bounty rewards.

A security vulnerability is generally an error, flaw, mistake, failure, or fault in a computer program or system that impacts the security of a device, system, network, or data. Any security vulnerability may be considered for the Program; however, it must be a new, previously unreported, vulnerability in order to be eligible for reward or recognition. Typically, in-scope submissions will include high impact vulnerabilities. However, any vulnerability that could realistically place the online security of AT&T, our customers, or the public at large at risk is in scope and might be rewarded.

Vulnerabilities which directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when "qualifying" vulnerabilities include those that:

Back to top


Program Exclusions

The following categories of vulnerabilities are excluded from reward in the Program unless otherwise directed by AT&T:

In addition, the submitter:

Vulnerabilities that are disclosed to any party other than AT&T, including vulnerability brokers, will not qualify for reward. This includes both public disclosure and limited private release.

Back to top


Program Terms and Conditions

The following Terms and Conditions apply to the Program:

  1. "AT&T" refers to AT&T Services, Inc., and its affiliates.
  2. You must comply with the Program and abide by the law.
  3. AT&T employees, contractors, and their families are not eligible for rewards.
  4. You must submit your report as soon as you have discovered a potential vulnerability. By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the vulnerability or your submission to anyone other than AT&T following the process set forth in the Program. Absent AT&T's prior written consent, any disclosure would violate the Program. It is understood and agreed that money damages would not be a sufficient remedy for any breach of this paragraph by you or your representative(s) and that AT&T shall be entitled to specific performance as a remedy for any such breach, including injunctive relief. Such remedy shall not be deemed to be the exclusive remedy for any such breach but shall be in addition to all other remedies available at law or equity to AT&T.
  5. Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive recognition at the sole discretion of AT&T.
  6. By submitting information about a potential vulnerability, you agree to all Program Terms and Conditions and grant AT&T a worldwide, royalty-free, non-exclusive license to use your submission. Only the first submission of a given potential vulnerability that AT&T has not yet identified is eligible. In the event of a duplicate submission, only the earliest received is considered.
  7. Eligibility for rewards, including the determination of the recipients and reward amount is left up to the sole discretion of AT&T.
  8. Out of scope vulnerabilities submitted are generally less likely to receive recognition or rewards under the Program.
  9. You are responsible for all taxes associated with and imposed on any reward you may receive in connection with your submission. HackerOne handles all bounty payments through the HackerOne platform. Please refer to HackerOne’s relevant policies here.
  10. You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
  11. If you inadvertently access customer, employee, or business related information during your testing, you must immediately notify AT&T and the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
  12. Your testing activities must not negatively impact AT&T, or AT&T's Environment availability or performance.
  13. AT&T reserves the right of non-remediation in its sole discretion.
  14. The Program constitutes the entire agreement and understanding of the parties with respect to the items listed herein. The Program may be amended or modified any time without notice in AT&T’s sole and absolute discretion.
  15. If any portion of the Program is found to be illegal or unenforceable, then the parties shall be relieved of their responsibilities arising under such portion, but only to the extent that such portion is illegal or unenforceable.

Back to top


Reporting Process

When reporting vulnerabilities, you must first register or log on to your account on HackerOne.

In describing the vulnerability it is important to include all necessary details required for reproducing the vulnerability as well as the tools required to reproduce the vulnerability. Please note that the vulnerability should be treated in accordance with the terms of the Program.

Each submission will typically receive a reply within one (1) business day acknowledging that the report was successfully received.

Duplicate submissions (where the vulnerability has already been reported to AT&T) are not eligible for rewards. In most instances, you will not be notified of a duplicate report condition until after the vulnerability has been remediated.

Please recognize that AT&T operates a complex Environment and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the Program is notified by AT&T internal support team. AT&T cannot provide updates on remediation efforts that are in progress.

Back to top


Awarding Process

Only vulnerabilities will be considered for an award. Only those vulnerabilities that have been resolved will receive an award. The bounties range from $50 to $2,000 depending on criteria such as the type/severity of the vulnerability, impacted domain(s), potential vulnerability exploits, and vulnerability report submission quality. In general, Reflected XSS will be considered low severity and awarded with minimum bounty unless other impact is shown. THE CRITERIA USED TO DETERMINE THE PAYOUT FOR A VULNERABILITY IS SOLELY AT THE DISCRETION OF AT&T.

Back to top


Change to Program Terms

AT&T reserves the right to discontinue the Program at any time without notice in its sole discretion.

Back to top


Frequently Asked Questions

What's eligible for AT&T Bug Bounty?

Pretty much any security exposure on AT&T’s IP footprint is eligible for program recognition. We’re not just considering websites -- mobile/tablet apps and connected devices are included too!

What types of issues will be considered as part of the AT&T Bug Bounty program?

Anything that could realistically place the online security of AT&T or our customers at risk will be considered. We are, however, particularly interested in vulnerabilities that could expose customer or enterprise data.

There are a few exclusions which can be found on the AT&T Bug Bounty Website. Please read our terms/conditions, and if you have any questions send us a note at bugbounty@att.com.

You fixed my bug...where's my bounty?

Please refer to the Reporting Process

How can I increase my chances of getting an AT&T Bug Bounty Award?

Typically we consider the severity of the bug, ease of exploit, and prominence of the site(s) or apps included in all remediated reports from a security researcher. This process is designed to recognize the most significant and impactful contributions.

Submissions that clearly articulate how the vulnerability leads to a compromise of customer or enterprise data or accounts, as well those that prove the existence of remote command execution vulnerability, are typically preferred.

Less severe issues or bugs that require multiple or unusual steps on the part of a potential victim (such as installing a browser plug-in) may be included, but usually don’t result in significant bounties.

Tip: Well written reports are a definite plus!

What makes up a well written report?

DO:

  • Be clear as to what URL, app, or device is vulnerable.
  • Provide a clear description of the bug you are reporting.
  • Let us know how you found the bug, why you think it's a security risk, and provide step-by-step instructions on how to reproduce it.
  • Include a clear description of how the exposure might be exploited by an attacker. Be brief and to the point.
  • You can include a screenshot or video with your report, but make sure you do it from our website. If you include a video make sure it is clear (not grainy), brief, to the point. Note that there are file size limitations on bug report attachments.
  • Report only one issue per submission.

DON'T

  • Do not violate our customer's privacy! If you detect a behavior indicating data leakage, or any other security exposure, report it! Let us know WHY you think it's an exposure and we'll check into it.
  • Don’t report multiple URLs/sites in a single report.
  • Don’t upload videos to YouTube or other file sharing services.
  • Don't simply send us a URL with "click this" as the description.
  • Don't rely solely on a screenshot or a video; make sure you provide all appropriate information in your report.

What's taking so long to remediate my reported issue?

We take your reports seriously and do our best to address issues as quickly possible. Depending on the specific issue, it can take anywhere from a few hours to several months for a fix to be implemented.

Practical realities, such as the complexity of the environment and other priorities can all impact our responsiveness. There are also times when we may elect to defer remediation due to pending site upgrades and other such factors.

Why do you not respond to my request for information?

Our apologies, but we get a lot of questions and just do not have the staff to respond to individual requests for information. Be assured, however, that we are working on ways to communicate better and more efficiently in the future.

Thanks for your understanding!

I want to point to my success detecting security issues on your site to future employers but Section 5 seems to prevent me from doing that. What can I do?

Please drop us a note at bugbounty@att.com. We are happy to support disclosure and make sure you get credit from other organizations for your work once we’re sure our customers are not at risk. Our goal is simply to address vulnerabilities before publication so that we don’t have bad people reproducing your work for malicious ends.

What do you mean by "duplicate" submission...and why didn't you tell me when I first submitted the report?

Please refer to the Reporting Process

Why was my report of "Unvalidated Redirects and Forwards" rejected?

When testing our environment for open redirects keep in mind that AT&T operates at a very large scale. Avoid using redirects to domains of common web-based service providers such as Yahoo!, Twitter, or Facebook, in your proof-of-vulnerability analysis.

 

Back to top




©2019 AT&T Intellectual Property.All rights reserved.