[{"id":3774209,"new_policy":"# Welcome, Security Research Community!\n\n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.\n\n# Scope\n\nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings. Failure to submit reports through our designated bug bounty route may result in a non-eligible report.\n\n### When Testing:\n\n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).\n- Include the following header in all requests:\n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n  ```\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n# Program Rules\n\n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms.\n* For submissions involving Leaked Credentials:\n  * Do **NOT** attempt to validate.\n  * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n  * Submit evidence only.\n  * Attach the data dump.\n  * Add the exact link or source of the leak. (Required)\n  * No further testing—just share the data. For transparency, end-user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n# Focus Areas\n\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n\n# Submission Format\n\nReports that fail to follow this structure will likely be closed as informative. Clear writing and strong evidence matter more than length. \n\n## Title\n\nA short, specific title naming the affected component and the issue.\n\n*Examples: \"Multi-Compare Server-Side Limit Not Enforced\", \"IDOR in `/profile/{id}/exports` Allows Cross-Account Data Access\"*\n\n## Overview of the Vulnerability\n\nA concise summary (2–4 sentences) covering:\n\n- The affected feature or endpoint\n- The expected behavior\n- The actual (vulnerable) behavior\n- Why it matters\n\nThen provide a technical description in clear, factual prose:\n\n- What the feature is designed to do\n- What controls are documented or expected to be in place\n- What your testing revealed about how those controls actually behave\n- Specific observations from your requests — be precise with parameter names, HTTP methods, endpoint paths, and response details\n\nWhen you ran multiple test cases, enumerate them so the reviewer can follow your reasoning:\n\n- A request containing [input A] returned [observed result].\n- A request containing [input B] returned [observed result].\n- A request combining [A + B] returned [observed result].\n- Reordering / duplicating / removing values resulted in [observed behavior].\n\nClose with a one-sentence conclusion stating where the gap exists. For example: *\"This demonstrates that the five-profile limit is enforced exclusively at the UI layer and is not validated by the backend service.\"*\n\n## Business Impact\n\nState the impact in 1–3 sentences. Cover:\n\n- What an attacker can actually achieve with this issue\n- What mitigating controls remain in place (authorization, rate limiting, eligibility checks, etc.)\n- A realistic assessment of severity\n\nBe honest about limitations. If authorization checks still gate sensitive data, say so. Overstating impact slows triage and hurts credibility. Aim for accurate impact.\n\n## Demonstrated Impact (Not Theoretical)\n\nReports must show **demonstrated impact**, not hypothetical attack chains. Phrases like *\"an attacker could...\"*, *\"this might allow...\"*, or *\"if combined with...\"* — without a working proof-of-concept — will be closed as informational at best.\n\nAnchor every impact claim to something you actually proved in your testing. Examples:\n\n- **Weak:** \"An attacker could potentially use this to exfiltrate user data.\"\n  **Strong:** \"Using test account A, I submitted [request] and retrieved [specific field] belonging to account B. Screenshot shows account B's email address in the response.\"\n\n- **Weak:** \"This reflected input might lead to XSS under the right conditions.\"\n  **Strong:** \"Payload `\u003csvg onload=alert(1)\u003e` in the `q` parameter executes in the rendered page. Screenshot of the triggered alert attached.\"\n\n- **Weak:** \"If chained with a future CSRF bypass, this could allow account takeover.\"\n  **Strong:** \"Demonstrated end-to-end with two test accounts: [steps]. Account B's session token is recovered at [location].\"\n\nIf you can describe the attack but cannot demonstrate it, the report is incomplete. Either complete the chain end-to-end, or scope your impact claim to only what you proved. Incomplete demonstration will likely result in an informative report.\n\n## Steps to Reproduce\n\nNumbered steps that a triager can follow without guessing. Each step should be specific and actionable.\n\n1. Log in to [application] as a [user role / test account].\n2. Navigate to [feature or URL].\n3. Capture the request to `[endpoint]` using [Burp Suite / browser dev tools / curl].\n4. Modify [specific parameter] from `[value A]` to `[value B]`.\n5. Replay the request.\n6. Observe [expected behavior] vs. [actual behavior].\n\nInclude the raw HTTP request and response when they materially help explain the issue. Redact session tokens, cookies, and any data that doesn't belong to your test accounts.\n\n### Evidence\n\n**Screenshots (preferred):**\n\n- Annotated screenshots are the fastest way for triage to confirm an issue. Highlight the modified parameter, the relevant response field, or the UI state that contradicts the backend.\n- At minimum, include: (1) the request showing your modification, (2) the response showing the vulnerable behavior, (3) any relevant UI state.\n\n**Video (helpful, especially for complex flows):**\n\n- Short screen recordings (under 2 minutes) are useful for multi-step issues, race conditions, or anything where timing matters.\n- Video is a supplement to screenshots, not a replacement. Triagers can scan a screenshot in seconds; video requires playback.\n\n**Raw artifacts:**\n\n- Full HTTP request/response pairs, payloads, or proof-of-concept scripts where applicable.\n- If your PoC needs setup, include a one-line description of what to run.\n\n## Remediation\n\nState the fix in 1–3 sentences. Focus on:\n\n- What validation or control is missing\n- Where it should be enforced (which layer — backend, gateway, frontend)\n- What the expected behavior should look like after the fix\n\nExample: *\"Ensure the server performs the same validation as the UI and enforce the limit at the backend layer.\"*\n\n## Scope Confirmation\n\nBefore submitting, confirm that the affected asset and the vulnerability class are **in scope** for this program. Review the In-Scope assets above and explicitly state in your report:\n\n- The affected asset and where it appears in scope.\n- Whether the vulnerability class is in scope, out of scope, or not explicitly addressed.\n- If the issue touches an asset that is **out of scope**, do not submit. Contact `support@hackerone.com` instead, as noted in the Scope section.\n\nReports targeting out-of-scope assets or vulnerability classes will be closed as N/A and may affect your reputation on the program.\n\n## Pre-Submission Checklist\n\n- [ ] Affected asset and vulnerability class are confirmed **in scope** per program policy\n- [ ] Title names the component and the issue\n- [ ] Overview explains what's expected vs. what actually happens\n- [ ] Business impact is realistic — not inflated, not understated\n- [ ] Every impact claim is backed by a demonstrated PoC, not speculation\n- [ ] Steps to reproduce work from a clean state\n- [ ] At least one annotated screenshot of the request and response\n- [ ] Sensitive data (tokens, PII, other users' data) is redacted\n- [ ] `X-HackerOne-Research` header was used during testing / HackerOne email alias was used for test accounts\n\n## Disclosure Policy\n\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\n\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security. ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Customer Care Portal\",\"details\":\"* customercare.23andme.com/*\\n* Includes Zendesk (3rd party used)\"}","{\"category\":\"Data Breaches\",\"details\":\"Vulnerabilities caused by past or present data breaches.\"}","{\"category\":\"Unlikely User Interaction\",\"details\":\"Attacks requiring unlikely user interaction or physical access.\"}","{\"category\":\"3rd Party Vendors\",\"details\":\"* (e.g. Chatbot AI Agent powered by Ada, Zendesk).\\n * (e.g. Google Maps,  Briantree, Venmo, Customer.io, Datadog RUM API keys)\"}","{\"category\":\"Customer Stories\",\"details\":\"https://www.23andme.com/stories/*\"}","{\"category\":\"Automated Scanning\",\"details\":\"Automated scanning or scripted request flooding that impacts platform availability or performance.\"}","{\"category\":\"Low Impact Issues\",\"details\":\"* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking)\\n* DoS attacks or brute-force attacks\\n* Rate limiting on non-authentication endpoints\\n* DOM XSS, Self XSS\"}"],"timestamp":"2026-05-15T04:40:47.156Z"},{"id":3772827,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  Failure to submit reports through our designated bug bounty route may result in a non-eligible report.\n\n### When Testing:  \n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n* For submissions involving Leaked Credentials:\n                           * Do **NOT** attempt to validate.\n                           * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n                           * Submit evidence only.\n                           * Attach the data dump.\n                           * Add the exact link or source of the leak. (Required)\n                           * No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Customer Care Portal\",\"details\":\"* customercare.23andme.com/*\\n* Includes Zendesk (3rd party used)\"}","{\"category\":\"Data Breaches\",\"details\":\"Vulnerabilities caused by past or present data breaches.\"}","{\"category\":\"Low Impact Issues\",\"details\":\"* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking)\\n* DoS attacks or brute-force attacks\\n* Rate limiting on non-authentication endpoints\"}","{\"category\":\"Unlikely User Interaction\",\"details\":\"Attacks requiring unlikely user interaction or physical access.\"}","{\"category\":\"3rd Party Vendors\",\"details\":\"* (e.g. Chatbot AI Agent powered by Ada, Zendesk).\\n * (e.g. Google Maps,  Briantree, Venmo, Customer.io, Datadog RUM API keys)\"}","{\"category\":\"Customer Stories\",\"details\":\"https://www.23andme.com/stories/*\"}","{\"category\":\"Automated Scanning\",\"details\":\"Automated scanning or scripted request flooding that impacts platform availability or performance.\"}"],"timestamp":"2026-04-19T23:07:04.576Z"},{"id":3772826,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  Failure to submit reports through our designated bug bounty route may result in a non-eligible report.\n\n### When Testing:  \n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n* For submissions involving Leaked Credentials:\n                           * Do **NOT** attempt to validate.\n                           * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n                           * Submit evidence only.\n                           * Attach the data dump.\n                           * Add the exact link or source of the leak. (Required)\n                           * No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Customer Care Portal\",\"details\":\"* customercare.23andme.com/*\\n* Includes Zendesk (3rd party used)\"}","{\"category\":\"Data Breaches\",\"details\":\"Vulnerabilities caused by past or present data breaches.\"}","{\"category\":\"Low Impact Issues\",\"details\":\"* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking)\\n* DoS attacks or brute-force attacks\\n* Rate limiting on non-authentication endpoints\"}","{\"category\":\"Unlikely User Interaction\",\"details\":\"Attacks requiring unlikely user interaction or physical access.\"}","{\"category\":\"3rd Party Vendors\",\"details\":\"* (e.g. Chatbot AI Agent powered by Ada, Zendesk, Customer.io, Braintree etc..).\\n                           * (e.g. Google Maps API keys)\"}","{\"category\":\"Customer Stories\",\"details\":\"https://www.23andme.com/stories/*\"}","{\"category\":\"Automated Scanning\",\"details\":\"Automated scanning or scripted request flooding that impacts platform availability or performance.\"}"],"timestamp":"2026-04-19T21:54:53.596Z"},{"id":3770456,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  Failure to submit reports through our designated bug bounty route may result in a non-eligible report.\n\n### When Testing:  \n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n* For submissions involving Leaked Credentials:\n                           * Do **NOT** attempt to validate.\n                           * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n                           * Submit evidence only.\n                           * Attach the data dump.\n                           * Add the exact link or source of the leak. (Required)\n                           * No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n\n# Out-of-Scope Vulnerabilities\nThe following are not eligible for bounty rewards:\n\n* CustomerCare Portal\n* Vulnerabilities caused by past or present data breaches.\n* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking).\n* Attacks requiring unlikely user interaction or physical access.\n* DoS attacks or brute-force attacks.\n* Rate limiting on non-authentication endpoints.\n* Not all submissions involving third-party vendors will be eligible for a reward or considered in scope, but we can review them on a case-by-case basis.\n                           * (e.g. Chatbot AI Agent powered by Ada, Zendesk, Braintree etc..).\n                           * (e.g. Google Maps API keys)\n\n\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  ","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-02T20:25:38.044Z"},{"id":3766982,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  Failure to submit reports through our designated bug bounty route may result in a non-eligible report.\n\n### When Testing:  \n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n* For submissions involving Leaked Credentials:\n                           * Do **NOT** attempt to validate.\n                           * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n                           * Submit evidence only.\n                           * Attach the data dump.\n                           * Add the exact link or source of the leak. (Required)\n                           * No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n\n# Out-of-Scope Vulnerabilities\nThe following are not eligible for bounty rewards:\n\n* CustomerCare Portal\n* Vulnerabilities caused by past or present data breaches.\n* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking).\n* Attacks requiring unlikely user interaction or physical access.\n* DoS attacks or brute-force attacks.\n* Rate limiting on non-authentication endpoints.\n* Not all submissions involving third-party vendors will be eligible for a reward or considered in scope, but we can review them on a case-by-case basis.\n                           * (e.g. Chatbot AI Agent powered by Ada, Zendesk, Braintree etc..).\n                           * (e.g. Google Maps API keys)\n\n\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-04T08:46:14.534Z"},{"id":3754350,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  \n\n### When Testing:  \n- **Use your HackerOne email alias** (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n* For submissions involving Leaked Credentials:\n                           * Do **NOT** attempt to validate.\n                           * Attempting to sign in, change data, or test MFA with leaked credentials is forbidden.\n                           * Submit evidence only.\n                           * Attach the data dump.\n                           * Add the exact link or source of the leak. (Required)\n                           * No further testing—just share the data. For transparency, end‑user credentials alone are usually out of scope unless a program-responsible leak source can be identified.\n\n\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n\n# Out-of-Scope Vulnerabilities\nThe following are not eligible for bounty rewards:\n\n* Vulnerabilities caused by past or present data breaches.\n* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking).\n* Attacks requiring unlikely user interaction or physical access.\n* DoS attacks or brute-force attacks.\n* Rate limiting on non-authentication endpoints.\n* Not all submissions involving third-party vendors will be eligible for a reward or considered in scope, but we can review them on a case-by-case basis.\n                           * (e.g. Chatbot AI Agent powered by Ada, Zendesk, Braintree etc..).\n                           * (e.g. Google Maps API keys)\n\n\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-24T23:38:50.227Z"},{"id":3746479,"new_policy":"# Welcome, Security Research Community!  \n23andMe recognizes the importance of working with skilled security researchers to identify and address vulnerabilities in our technology. We encourage responsible disclosure through our Bug Bounty Program and are excited to collaborate with you to enhance our security.  \n\n# Scope  \nTesting is authorized **only** for targets explicitly listed as In-Scope. Any domain/property not listed is considered **Out-of-Scope**, including subdomains. If you discover a vulnerability outside the defined scope, contact [support@hackerone.com](mailto:support@hackerone.com) before submitting your findings.  \n\n### When Testing:  \n- Use your HackerOne email alias (`h1username@wearehackerone.com`).  \n- Include the following header in all requests:  \n  ```http\n  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n- Automated tools: Limit requests to no more than 3 per second and avoid using vulnerability scanners.\n\nFailure to follow these guidelines may result in disqualification from bounty rewards.\n\n---\n\n\n# Program Rules \n* Use your HackerOne email alias for account creation and testing.\n* Add the X-HackerOne-Research header to all requests.\n* Avoid using multiple IP addresses during testing.\n* Refrain from public disclosure without 23andMe's written consent (even post-fix).\n* Only test accounts you own or have explicit permission to interact with.\n* Stop testing immediately if you encounter sensitive data and report it to us.\n* Provide detailed, reproducible reports. Lack of detail may disqualify the submission.\n* Submit one vulnerability per report unless chaining vulnerabilities to demonstrate impact.\n* Social engineering (e.g., phishing) is prohibited.\n* Avoid privacy violations, data destruction, or service disruption.\n* Valid submissions must demonstrate a tangible security risk.\n* Program terms may change at anytime. Participating means you agree to be bound by the new terms. \n\n\n# Focus Areas\nSubmissions addressing the following vulnerabilities are highly valued:\n\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control\n* SQL Injection (or equivalent)\n* Server-Side Request Forgery (SSRF)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Cross-Site Scripting (XSS)\n* Exfiltration of AWS credentials\n* Misconfigured cloud infrastructure leading to data leakage\n\n\n# Out-of-Scope Vulnerabilities\nThe following are not eligible for bounty rewards:\n\n* Issues on non-23andMe domains (e.g., third-party services like Braintree).\n* Vulnerabilities caused by past or present data breaches.\n* Low-impact issues (e.g., missing headers, outdated libraries, clickjacking).\n* Attacks requiring unlikely user interaction or physical access.\n* DoS attacks or brute-force attacks.\n* Rate limiting on non-authentication endpoints.\n\n\n## Disclosure Policy\nFollow HackerOne's disclosure guidelines. Unauthorized public disclosure may result in disqualification from the program.\n\nHappy Hunting!\nWe appreciate your contributions and look forward to collaborating with you to keep 23andMe secure.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-12T18:35:36.922Z"},{"id":3713208,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not use multiple IP addresses when testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \nAs mentioned previously researchers should update include a header of the form below to all request during automated and manual analysis.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n*  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Unintentional reflection of self-reported data in the application that may be treated as secure information for identity verification elsewhere in the application\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-23T18:07:35.464Z"},{"id":3712552,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not use multiple IP addresses when testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \nAs mentioned previously researchers should update include a header of the form below to all request during automated and manual analysis.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n*  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Unintentional reflection of self-reported data in the application that may be treated as secure information for identity verification elsewhere in the application\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-12T21:32:10.350Z"},{"id":3711019,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not use multiple IP addresses when testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \nAs mentioned previously researchers should update include a header of the form below to all request during automated and manual analysis.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n*  X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-18T22:26:21.707Z"},{"id":3711018,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not use multiple IP addresses when testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-18T22:24:43.163Z"},{"id":3711010,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and causes unnecessary friction we hope to avoid. These are also copied in our Program Rules for completeness.\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-18T19:29:41.316Z"},{"id":3711009,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n**When creating an account:** ==Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing== \n**When testing:** \n- ==Please add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e.== Providing this information helps us differentiate your activity against traffic generated by possible malicious actors and may help avoid blocking your IP address!\n-   ==Do not use vulnerability scanners! For custom tooling an acceptable request rate is no more than 3 requests per second==\n\nFailure to abide to these could jeopardize us providing bounty's and cause unnecessary friction. These are also copied in our Program Rules for completeness - Thank You! \n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* Add the following header to your request: X-HackerOne-Research: \u003cYOUR-USERNAME\u003e\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-18T19:17:00.738Z"},{"id":3709346,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-16T00:23:24.536Z"},{"id":3709164,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n* When registering for a lemonaidhealth account please use the string **test** as part of your last name e.g. h1firstname test-lastname\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n* Users are able to sign up for a free account [here](https://clinic.lemonaidhealth.com/register) for Lemonaid Health\n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-12T18:24:07.349Z"},{"id":3709159,"new_policy":"## Welcome Security Research Community! \n\n23andMe acknowledges that no technology is perfect and we believe that working with skilled Security Researchers across the globe is crucial in identifying vulnerabilities in any technology. Thus, we encourage responsible disclosure of security vulnerabilities via our Bug Bounty Program described on this page.\nWe are excited for you to participate as a Security Researcher to identify potential vulnerabilities in our Web Applications, APIs and Cloud Infrastructure. We welcome working with you to resolve the issue promptly.\n\nTesting is only authorized on the targets explicitly listed as In-Scope. **Any domain/property of 23andMe not listed in the targets section is out of scope. This includes any/all subdomains not listed. Anything not explicitly defined In-Scope is by default Out-of-Scope.** If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@hackerone.com before submitting it\n\n\n# Response Targets\n23andMe will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 15 days |\n| Time to Resolution | Variable depening on severity and complexity |\n\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules \n### Read these carefully to ensure you have a great time with our program\n* Use your **hacker email alias** when testing (h1username@wearehackerone.com) for sign up and all testing\n*  Do not disclose a vulnerability publicly without express written consent from 23andMe. Permission is still required after the fix is confirmed to be in place. Failure to comply with this could lead to disciplinary actions including disqualification of a bounty payment and removal from the program\n* Only interact with accounts you own or with the explicit permission of the account holder\n* Do not perform security testing on websites that are out of scope for this test and not operated by 23andMe\n* Once you’ve established that a vulnerability exists or you encounter any sensitive data (including personally identifiable information, financial information, or proprietary/confidential information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited\n* You will configure any automated tools you may be using to a speed of no more than 3 requests per second\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service\n* Valid submissions that fail to demonstrate a security risk are not eligible for a reward. 23andMe is ultimately responsible for determining the severity of all submissions\n* Do not perform brute-force style attacks or any attack that could potentially cause a denial-of service to any of 23andMe's applications or infrastructure\n* We may change the terms of this program at any time. Participating in this program after the changes become effective means you agree to be bound by the new terms. If you do not agree to the new terms, you must not participate in the program\n\n\n# Test Plan \n This is how you gain access to test authenticated features. Note:  In the future we will provide a non-production environment for testing.\n\n* Users are able to sign up for a free account [here](https://auth.23andme.com/signup) for 23andMe \n* Users are able to sign up for a free account [here](https://clinic.lemonaidhealth.com/register) for Lemonaid Health\n\n(Don't forget  use your **hacker email alias** when testing h1username@wearehackerone.com for sign up and all testing)\n\n\n# Session Layer: \n Researchers should update their user-agent  (manual testing \u0026 automated tools) to include their HackerOne username.  This assists us in identifying benign traffic and avoids your IP address from being banned by our perimeter protection devices. \n* User-Agent: [HackerOne-username]\n\n\n# Focus Areas\n Submissions of these classes are guaranteed to make us happy and should equally make you happy $\n* Sensitive Data Exposure\n* Remote Code Execution (RCE)\n* Authentication Bypass\n* Broken Access Control \n* Injection (SQLi or equivalent)\n* Server Side Request Forgery (SSRF)\n* Local/Remote File Inclusion (LFI/RFI)\n* Malicious File Uploads\n* XML External Entities (XXE)\n* Stored/Reflected Cross Site Scripting\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n* Ability to exfiltrate and use AWS credentials\n* Improperly configured AWS, GAE, or GCP infrastructure leading to data leakage\n\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Our Store uses Paypal's Braintree on the backend to process orders. Any issues that will be identified on Braintree's end should be reported [here](https://hackerone.com/paypal?type=team). Please use this \n program to only submit issues that can be fixed on 23andMe's end\n* Submissions as a result of data obtained from past or present data dumps\n* Insecure Direct Object Reference where profile is participating in the DNA Relatives feature with open sharing option enabled\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* 23andMe Mobile applications\n* Clickjacking on pages with no sensitive actions\n* Issues that require unlikely user interaction\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Tabnabbing\n* Use of known libraries without actual proof of concept\n* Missing Security Headers \n* Open redirect - unless an additional security impact can be demonstrated\n* Vulnerabilities that require physical access to users' devices for exploitation\n\n\nHappy Hunting Bug Connoisseur's!\n \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-12T17:11:16.186Z"}]