When reporting bugs you must first register an account on our Bug Reporting Portal. Registration consists of the following information:
Hall of Fame display information will be reviewed and approved by the AT&T Bug Bounty Team for appropriateness prior to being posted to the HoF page.
Once you have an established and verified account, login to report your findings via the "Report Bug" feature of our website. The following information must be included with your report:
In describing the vulnerability it is important to include all necessary details required for reproducing the vulnerability as well as the tools required to reproduce the vulnerability. We will acknowledge the submittal via an email. Please note that the vulnerability should be treated as under nondisclosure until the vulnerability is remediated.
Each submission will typically receive a reply within 1 business day acknowledging that the report was successfully received. The acknowledgement will include a reference number that should be included in any correspondence related to the issue. After the bug is fixed, the reporter will be notified, and the reporter will be listed on our Hall of Fame if the appropriate permission(s) have been provided. The reporter will also be considered for one of that quarter's Top 25 awards.
Duplicate submissions (where the bug has already been reported to AT&T via another Bug Bounty submission or other reporting mechanism) are not eligible for Bug Bounty rewards or Hall of Fame recognition. In most instances, you will not be notified of a duplicate report condition until after the bug has been remediated.
Please recognize that AT&T operates a complex online environment and the amount of time required to address a reported issue can vary from a few hours to several months. You will receive notification of the final outcome of our remediation efforts once the Bug Bounty Program is notified by its internal support teams that an issue is resolved or disqualified. At this time we cannot provide updates on remediation efforts that are in progress.
On a quarterly basis AT&T will evaluate all valid bug submissions that have been remediated (not reported) during that quarter and award bounties for those we consider to be the Top 25 Bugs or Bug Reporters for the quarter. Only those Reporters included in the Top 25 will receive a bounty and Top 25 Hall of Fame recognition. The bounties range from $250 to a potential maximum award of $20,000. AT&T will determine the Top 25 and award amounts based on criteria such as the type/severity of the bug, impacted domain(s), potential bug exploits, and bug report submission quality. ALL AWARDS AND THE CRITERIA USED TO DETERMINE THE QUARTERLY TOP 25 IS SOLELY AT THE DISCRETION OF AT&T SERVICES, INC. AND THE AT&T BUG BOUNTY BOARD.
Quarterly Top 25 award winners will be acknowledged on our recognition page in alphabetical order.
Additionally, all vulnerability reporters who interact with us in a respectful, productive manner and want to be publicly acknowledged will be listed on our Recognition (Hall of Fame) Page. Your entry will appear on our main Hall of Fame page for a period of 1 year from the date of the last successful remediation notification. After 1 year it will move to our Hall of Fame archive page.
AT&T RESERVES THE RIGHT TO MODIFY OR CANCEL THE AT&T BUG BOUNTY PROGRAM AT ANY TIME WITHOUT NOTICE. ALL BOUNTY PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY.