[{"id":3691001,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.\nSame vulnerabilities on different country sites are consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on  non-production environment, such as a cloud server, will no higher than High severity.\nRCE on test environment, such as testing webservers, demo sites, etc., will no higher than Medium severity.  (We have many testing severs running online, those server are used only for testing purpose. RCE on those servers dosen't have significant impact.)\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. \n\n**Open source project of Alibaba**\nOpen source project of Alibaba and Aliyun on Github is NOT in this program's scope. If you find any vulnerabilities, you can report it on ASRC: https://security.alibaba.com/ .\n\n**CSRF in *.alibaba.com is temporarily OUT of scope**\nCSRF in *.alibaba.com is temporarily OUT of scope\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* CRLF\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Cache Poisoning\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-07T06:47:35.487Z"},{"id":3682053,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.\nSame vulnerabilities on different country sites are consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on  non-production environment, such as a cloud server, will no higher than High severity.\nRCE on test environment, such as testing webservers, demo sites, etc., will no higher than Medium severity.  (We have many testing severs running online, those server are used only for testing purpose. RCE on those servers dosen't have significant impact.)\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. \n\n**Open source project of Alibaba**\nOpen source project of Alibaba and Aliyun on Github is NOT in this program's scope. If you find any vulnerabilities, you can report it on ASRC: https://security.alibaba.com/ .\n\n**CSRF in *.alibaba.com is temporarily OUT of scope**\nCSRF in *.alibaba.com is temporarily OUT of scope\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-16T09:32:12.245Z"},{"id":3673774,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.\nSame vulnerabilities on different country sites are consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n*** Open source project of Alibaba**\nOpen source project of Alibaba and Aliyun on Github is NOT in this program's scope. If you find any vulnerabilities, you can report it on ASRC: https://security.alibaba.com/ .\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-05T09:27:57.449Z"},{"id":3653964,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.\nSame vulnerabilities on different country sites are consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-28T07:02:38.929Z"},{"id":3652817,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**sellercenter.taobao.com|.tw**\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL are consider as ONE valid report.\nSame vulnerabilities on different country sites are consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-28T09:04:59.787Z"},{"id":3652709,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n**Level 1**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $2,500 - $3,250 | $1,000 - $1,300 | $100 - $150 | $30 - 50\n\n**Level 2**\n\n| Critical | High | Medium | Low\n| ------------- | ------------- | ------------- | ------------- | ------------- |\n| $1,000 - $1,300 | $400 - $520 | $50 - $80 | $20 - $30\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**sellercenter.taobao.com|.tw**\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL is consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-25T09:23:55.599Z"},{"id":3652708,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Reward Level\nBecause Alibaba has a wide range of business running online, a certain kind of vulnerability may cause different impact on different businesses. To clarify this kind of impact, we have divided our business into 2 levels which are Core Business and Normal Business: \n_**Core Business**_: Products and services that related to buyers, sellers, trades and shops on  in-scope domains.\n_**Normal Business**_: Products and services that not related to buyers, sellers, trades and shops on  in-scope domains.\n\nCore business reports will be rewarded by the first line reward standard in the above table, and Normal Business will be rewarded by the second line reward standard.\n\n\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**sellercenter.taobao.com|.tw**\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL is consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-25T09:20:27.904Z"},{"id":3652707,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. Other domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\nYou may submit reports for assets that are previously listed in Alibaba Response Program to the ASRC platform here: https://security.alibaba.com/ We may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n**Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.**\n\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html, there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP.\n\n**sellercenter.taobao.com|.tw**\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n**Vulnerabilities in:**\n*.anydomain.com|cn/[*/]login.htm *.anydomain.com|cn/[*/]mini[*]login.htm\n*.anydomain.com|cn/[*/]icbu[*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different params of the same URL is consider as ONE valid report.\n\n**Aliyuncs.com**\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n**RCE**\nRCE on Production Network Services: you can verify if you are in a Production Network by curl http://ssrf.asrctest.com/. If you got a response cotains 'ewScgt51auzKg', it means you are in the production network.\nRCE on other network services, such as a cloud server, will no higher than High severity.\n\n**Stored XSS**\nOnly stored XSS (without user interaction) on main shop page, item detail page or chatting page (buyer to Seller) can be High severity, all other kinds of stored XSS will be no higher than Medium severity.\n**Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:**\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example:\n\n* Reflected XSS\n* Stored XSS that need to visit certain URL or need a user interaction\n* CSRF\n* CORS\n* Jsonp Hijacking\n* OAuth Hijacking\n* Privilege Escalation\n* Unused or abandoned subdomain takeover\n* Arbitrary file upload that only leads to Stored XSS etc.\n\n**Assessment Guidelines for SSRF Vulnerability Severity**\nAlibaba has identified four main types of SSRF for its businesses: \n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server\n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded: \n* Vulnerabilities affecting users of outdated browsers or platforms\n* Account brute force\n* Account takeover via CSRF/OAUTH etc.\n* Self-XSS\n* Flash-based XSS\n* Tabnabbing\n* Email Spoof\n* Session fixation\n* Content Spoofing\n* Missing cookie flags\n* Best practices/issues\n* HTML content injection\n* Mixed content warnings\n* Clickjacking/UI redressing\n* HTTPS/SSL/TLS Related Issues\n* Physical or social engineering attacks\n* Reflected file download attacks (RFD)\n* Issues that require unlikely user interaction\n* Login/logout/unauthenticated/low-impact CSRF\n* Unverified Results of automated tools or scanners\n* No SPF/DMARC in non-email domains/subdomains\n* Attacks requiring MITM or physical access to a user's device\n* Issues related to networking protocols or industry standards\n* Carriage Return Line Feed injection without direct impact (CRLF)\n* Error information disclosure that cannot be used to make a direct attack\n* Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-25T09:19:12.932Z"},{"id":3647415,"new_policy":"Hall of fame of Project Apollo：\n\n| Rank | Nick | Points |\n| ------------- | ------------- |------------- |\n| 1 | 猪肉包子 | 600 |\n| 2 | nittq | 500 |\n| 2 | 24msh | 500 |\n| 4 | 黎蔓147\t| 300 |\n| 4 | 7月夏季\t| 300 |\n| 6 | 菜菜子是凶手\t| 200 |\n| 7 | 梦亦黯幻\t| 100 |\n| 7 | 错空 | 100 |\n| 7 | Zeeshan | 100 |\n| 7 | yuyan-sec | 100 |\n| 7 | TheGrandPew | 100 |\n| 7 | terjanq | 100 |\n| 7 | RyotaK | 100 |\n| 7 | renwa | 100 |\n| 7 | hetroublemaker | 100 |\n| 7 | daedalus | 100 |\n| 7 | 错空 | 100 |\n| 7 | Huuuuu | 100 |\n\n\n\n\n\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T05:38:56.450Z"},{"id":3647414,"new_policy":"Hall of fame of Project Apollo：\nHall of fame：\n\n| Rank | Nick | Points |\n| ------------- | ------------- |------------- |\n| 1 | 猪肉包子 | 600 |\n| 2 | nittq | 500 |\n| 2 | 24msh | 500 |\n| 4 | 黎蔓147\t| 300 |\n| 4 | 7月夏季\t| 300 |\n| 6 | 菜菜子是凶手\t| 200 |\n| 7 | 梦亦黯幻\t| 100 |\n| 7 | 错空 | 100 |\n| 7 | Zeeshan | 100 |\n| 7 | yuyan-sec | 100 |\n| 7 | TheGrandPew | 100 |\n| 7 | terjanq | 100 |\n| 7 | RyotaK | 100 |\n| 7 | renwa | 100 |\n| 7 | hetroublemaker | 100 |\n| 7 | daedalus | 100 |\n| 7 | 错空 | 100 |\n| 7 | Huuuuu | 100 |\n\n\n\n\n\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T05:38:24.110Z"},{"id":3647413,"new_policy":"Hall of fame of Project Apollo：\nHall of fame：\n\n| Rank | Nick\tPoints |\n| ------------- | ------------- |\n| 1 | 猪肉包子 | 600 |\n| 2 | nittq | 500 |\n| 2 | 24msh | 500 |\n| 4 | 黎蔓147\t| 300 |\n| 4 | 7月夏季\t| 300 |\n| 6 | 菜菜子是凶手\t| 200 |\n| 7 | 梦亦黯幻\t| 100 |\n| 7 | 错空 | 100 |\n| 7 | Zeeshan | 100 |\n| 7 | yuyan-sec | 100 |\n| 7 | TheGrandPew | 100 |\n| 7 | terjanq | 100 |\n| 7 | RyotaK | 100 |\n| 7 | renwa | 100 |\n| 7 | hetroublemaker | 100 |\n| 7 | daedalus | 100 |\n| 7 | 错空 | 100 |\n| 7 | Huuuuu | 100 |\n\n\n\n\n\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T05:37:40.201Z"},{"id":3647412,"new_policy":"Hall of fame of Project Apollo：\nHall of fame：\n| Rank | Nick\tPoints |\n| ------------- | ------------- |\n| 1 | 猪肉包子 | 600 |\n| 2 | nittq | 500 |\n| 2 | 24msh | 500 |\n| 4 | 黎蔓147\t| 300 |\n| 4 | 7月夏季\t| 300 |\n| 6 | 菜菜子是凶手\t| 200 |\n| 7 | 梦亦黯幻\t| 100 |\n| 7 | 错空 | 100 |\n| 7 | Zeeshan | 100 |\n| 7 | yuyan-sec | 100 |\n| 7 | TheGrandPew | 100 |\n| 7 | terjanq | 100 |\n| 7 | RyotaK | 100 |\n| 7 | renwa | 100 |\n| 7 | hetroublemaker | 100 |\n| 7 | daedalus | 100 |\n| 7 | 错空 | 100 |\n| 7 | Huuuuu | 100 |\n\n\n\n\n\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-31T05:36:56.629Z"},{"id":3647166,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-28T04:00:24.075Z"},{"id":3646903,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass, please try to read the tablename with code injection\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## _Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]_\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi) \n    * Table name to look out for: *information_schema.tables*\n\n**JAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi) \n    * Table name to look out for: *dba_objects*\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n    * Table name to look out for: *sysobjects*\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\nGood luck!\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T04:47:07.972Z"},{"id":3646902,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## _Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]_\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi) \n    * Table name to look out for: *information_schema.tables*\n\n**JAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi) \n    * Table name to look out for: *information_schema.tables*\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n    * Table name to look out for: *information_schema.tables*\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\nGood luck!\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:49:39.875Z"},{"id":3646901,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## _Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]_\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\n**JAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\nTablename: information_schema.tables \n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\nGood luck!\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:09:57.821Z"},{"id":3646900,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## _Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]_\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\n**JAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\nGood luck!\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:05:41.152Z"},{"id":3646899,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\nJAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\nGood luck!\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:04:40.081Z"},{"id":3646898,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Web targets to bypass [UPDATED 16 Dec, 10:00AM UTC+8]\n**PHP + MySQL**\n* Target 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\n* Target 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\nJAVA + Oracle**\n* Target 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\n* Target 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\n**ASP.NET + MSSQL**\n* Target 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\n* Target 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\n\n### More details of the Challenge will be updated here on 16 December, 10:00 UTC+8 and we invite you to participate and submit your reports to us.\n\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:04:25.647Z"},{"id":3646897,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\n\n### More details of the Challenge will be updated here on 16 December, 10:00 UTC+8 and we invite you to participate and submit your reports to us.\n\n2020.10.16 10:00 UTC+8 update\n##Project targets: \nPHP + MySQL\nTarget 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\nTarget 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\nJAVA + Oracle\nTarget 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\nTarget 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\nASP.NET + MSSQL\nTarget 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\nTarget 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n\nTablename： information_schema.tables \n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:03:23.132Z"},{"id":3646896,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\n\n### More details of the Challenge will be updated here on 16 December, 10:00 UTC+8 and we invite you to participate and submit your reports to us.\n\n2020.10.16 10:00 UTC+8 update\n##Project targets: \nPHP + MySQL\nTarget 1:http://game1.aliyundemo.com/demo/xss.php?name=glassy (XSS)\nTarget 2:http://game1.aliyundemo.com/demo/sqli.php?name=glassy (SQLi)\n\nJAVA + Oracle\nTarget 3:http://game2.aliyundemo.com/demo/xss?name=glassy (XSS)\nTarget 4:http://game2.aliyundemo.com/demo/sqli?name=glassy (SQLi)\n\nASP.NET + MSSQL\nTarget 5:http://game3.aliyundemo.com/demo/xss.aspx?name=glassy (XSS)\nTarget 6:http://game3.aliyundemo.com/demo/sqli.aspx?name=glassy (SQLi)\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T02:00:17.115Z"},{"id":3646859,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to  25th December 2020, 11:59 PM (UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\n\n### More details of the Challenge will be updated here on 16 December, 10:00 UTC+8 and we invite you to participate and submit your reports to us.\n\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-15T11:19:46.578Z"},{"id":3646858,"new_policy":"Dear researchers,\n\nASRC will be holding a special Project Apollo - WAF challenge game beginning 16 December 2020. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defense we have put up, you will be eligible for a reward, swag and also earn a place in the hall of fame.\n\n## Project Apollo - Challenge Game Period\n**_16th December 2020, 10:00 AM   to 11:59 PM, 25th December. 2020(UTC+8)_**\n\n## Rewards\n* $300 / per new \u0026 recognized effective bypass method (ONLY the earliest submission will be rewarded and not the duplicates)\n* 100 game points / per recognized effective bypass method\n* Top 3 players will get an ASRC souvenir package\n\n## Challenge Game instructions\n\n* XSS targets: 3 websites with different language and database\n    1. **Successful Bypass:** Please use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n    2. **Attention:** Execute alert in another domain is not in the scope; get XSS、post XSS and InteractiveXSS are all in the scope.\n\n* SQL targets: 3 websites with different language and database\n    1. **Success Bypass:** A known table name of database will be given, please bypass the defense to read it\n    2. **Attention:** Showing the error code is not a successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Report submission\n1. Please submit your report named with \"Apollo Challenge - xxxxxxx\"\n2. Your OS and browser Versions: Example - Win7 + Chrome 85.0.4188\n3. PoC: Example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: Example - can easily bypass with detection leak of ';'\n5. Screenshot \n\n## Things to note\n1. If one method can be used to bypass all the 3 targets, it will only be considered as one bypass\n2. Please do not disclose your reports without permission.\n\n\n### More details of the Challenge will be updated here on 16 December, 10:00 UTC+8 and we invite you to participate and submit your reports to us.\n\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-15T11:13:08.967Z"},{"id":3646857,"new_policy":"Dear researchers,\n\nASRC will hold Project Apollo - WAF challenge game at 2020.12.16.\n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\n## Time Schedule\nChallenging: 10:00 AM, 16th Dec. ~ 11:59 PM, 25th Dec. 2020 (UTC+8)\n\n## Reward\n• $300 / per new \u0026 recognized effective bypass method（ONLY the earliest submission will be rewarded for the same methods）\n• 100 game points / per recognized effective bypass method; Top 3 players will get an ASRC souvenir package.\n\n## Rules\n• XSS targets: 3 websites with different language and database\n1. Successful Bypass: \nPlease use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n2. Attention:\nExecute alert in another domain is not in the scope; get xss、post xss and Interactive xss are all in the scope.\n\n• SQL targets: 3 websites with different language and database\n1.Success Bypass: \na known table name of database will be given, and please bypass the denfence to read it\n2.Attention: \nShowing the error code is not successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n## Report\n1. Please submit your report named with \"Apollo - xxxxxxx\"\n2. Your OS and browser Versions: example - Win7 + Chrome 85.0.4188\n3. PoC: example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: example - can easily bypass with detection leak of ';'\n5. Screen shot \n\n## Other Attentions\n1. If one method can be used to bypass all the 3 targets, that will be counted as one \n2. Please do not disclose your reports, we will invite sharing then\n\nThe detail targets will be showed at 12.16 when the game begins.\nWe will update the detail here at 2020.12.16 10:00 UTC+8\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-15T10:20:23.785Z"},{"id":3646856,"new_policy":"Dear researchers,\n\nASRC will hold Project Apollo - WAF challenge game at 2020.12.16.\n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\n\u003c Reward \u003e\n• $300 / per new \u0026 recognized effective bypass method（ONLY the earliest submission will be rewarded for the same methods）\n• 100 game points / per recognized effective bypass method; Top 3 players will get an ASRC souvenir package.\n\n\u003c Rules \u003e\n• XSS targets: 3 websites with different language and database\n1. Successful Bypass: \nPlease use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n2. Attention:\nExecute alert in another domain is not in the scope; get xss、post xss and Interactive xss are all in the scope.\n\n• SQL targets: 3 websites with different language and database\n1.Success Bypass: \na known table name of database will be given, and please bypass the denfence to read it\n2.Attention: \nShowing the error code is not successful bypass\n\nEnvironment: PHP + MySQL, JAVA + Oracle, ASP.NET + MSSQL\n\n\u003cReport\u003e\n1. Please submit your report named with \"Apollo - xxxxxxx\"\n2. Your OS and browser Versions: example - Win7 + Chrome 85.0.4188\n3. PoC: example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: example - can easily bypass with detection leak of ';'\n5. Screen shot \n\n\u003cOther Attentions\u003e\n1. If one method can be used to bypass all the 3 targets, that will be counted as one \n2. Please do not disclose your reports, we will invite sharing then\n\nThe detail targets will be showed at 12.16 when the game begins.\nWe will update the detail here at 2020.12.16 10:00 UTC+8\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-15T07:47:08.064Z"},{"id":3646797,"new_policy":"Dear researchers,\n\nASRC will hold Program Apollo - WAF challenge game at 2020.12.16.\n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\nIf you could successfully bypass the defence, you can get reward and swag! We will show the hall of fame.\n\n\u003c Reward \u003e\n• $300 / per new \u0026 recognized effective bypass method\n• 100 game points / per recognized effective bypass method; Top 3 players will get an ASRC souvenir package.\n\n\u003c Rules \u003e\n• XSS targets: 3 websites with different language and database\n1. Successful Bypass: \nPlease use the latest Chrome/Firefox Stable version, and successfully execute alert/confirm/prompt in the target domain.\n2. Attention:\nExecute alert in another domain is not in the scope; get xss、post xss and Interactive xss are all in the scope.\n\n• SQL targets: 3 websites with different language and database\n1.Success Bypass: \na known table name of database will be given, and please bypass the denfence to read it\n2.Attention: \nShowing the error code is not successful bypass\n\n\u003cReport\u003e\n1. Please submit your report named with \"Apollo - xxxxxxx\"\n2. Your Version: example - Win7 + Chrome 85.0.4188\n3. PoC: example - xxxxx.com/xxxx?id=alert;a(1)\n4. Sample description: example - can easily bypass with detection leak of ';'\n5. Screen shot \n\n\u003cOther Attentions\u003e\n1. If one method can be used to bypass all the 3 targets, that will be counted as one \n2. Please do not disclose your reports, we will invite sharing then\n3. If you can not successfully submit the report, you can also send your report to email security#service.alibaba.com . \n\nThe detail targets will be showed at 12.16 when the game begins.\nFor more details, please join the game at:  https://security.alibaba.com/online/detail?type=1\u0026id=83\u0026tab=1\nWe will also update the detail here at 2020.12.16 10:00 UTC+8 and you can join it by just submitting the report here.\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-14T15:11:18.453Z"},{"id":3646735,"new_policy":"Dear researchers,\n\nASRC will hold Program Apollo - WAF challenge game at 2020.12.16.\nIt should be 2020.12.13 but delays, so it's 12.16 now, please note that. \n\nWe will set 6 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\nThe detail will be showed at 12.16 when the game begins.\n\nFor more details, please join the game at:  https://security.alibaba.com/online/detail?type=1\u0026id=83\u0026tab=1\n\nWe will also update the detail here at the right time.\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-11T14:20:58.604Z"},{"id":3646732,"new_policy":"Dear researchers,\n\nASRC will hold Program Apollo - WAF challenge game at 2020.12.16.\nIt should be 2020.12.13 but delays, so it's 12.16 now, please note that. \n\nWe will set 2 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\nThe detail will be showed at 12.16 when the game begins.\n\nFor more details, please join the game at:  https://security.alibaba.com/online/detail?type=1\u0026id=83\u0026tab=1\n\nWe will also update the detail here at the right time.\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-11T13:45:41.320Z"},{"id":3646594,"new_policy":"Dear researchers,\n\nASRC will hold Program Apollo - WAF challenge game at 2020.12.13. \n\nWe will set 2 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\nThe detail will be showed at 12.13 when the game begins.\n\nFor more details, please join the game at:  https://security.alibaba.com/online/detail?type=1\u0026id=83\u0026tab=1\n\nWe will also update the detail here at the right time.\n-------------------------------------------------------------------------------------------\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-08T15:34:26.811Z"},{"id":3646593,"new_policy":"Dear researchers,\n\nASRC will hold Program Apollo - WAF challenge game at 2020.12.13. \n\nWe will set 2 target range websites of SQL and XSS, with WAF defences. If you can successfully bypass the defence, you can get reward and swag!  We will also show the hall of fame.\n\nThe detail will be showed at 12.13 when the game begins.\n\nFor more details, please join the game at:  https://security.alibaba.com/online/detail?type=1\u0026id=83\u0026tab=1\n\nWe will also update the detail here at the right time.\n-------------------------------------------------------------------------------------------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-08T15:33:22.332Z"},{"id":3646592,"new_policy":"\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-08T15:13:30.694Z"},{"id":3642831,"new_policy":"\n#The Third ASRC's Country Best Researcher Promotion\n\nDear researchers, \n\nWe are excited to let you know that we are launching the ASRC’s Country Best Researcher Promotion starting September 26th, 2020 to reward and show our appreciation to our researchers. Through this promotion, which will run periodically throughout the year, we are on the lookout for the best researchers who can help us identify critical vulnerabilities from each country. \nFor the last two events, we had two really great researchers！\n### ASRC UK's Country Best Researcher dozybrit (@bpruston)\n### ASRC India's Country Best Researcher Vishal Singh(@umsvishal)\nThis promotion is a big challenge！We look forward to finding more excellent researchers. Are you ready?\nAll you have to do is surface bugs during the promotion period and we’ll have some special prizes up for grabs!\n\n# Promotion Period: \n26 September to 31 October 2020 (UTC+8)\n\n# Rewards:\nOnly following vulnerabilities are in the scope.\nOther types of valid vulnerabilities will still be rewarded, but are not included in this promotion.\n\n| Category | Description | Severity | Reward |\n| ------------- | ------------- | ------------- | ------------- |\n| Remote code execution\t| RCE on Production Network Servers. By executing command \"curl http://ssrf.asrctest.com\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | Critical | 8000 |\n| SSRF with full response | SSRF on Production Network Servers. By request URL \"http://ssrf.asrctest.com/\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | High | 3000 |\n\n# For submitting at least one valid high or critical vulnerability, of any severity, you will receive:\n1.\tAn ASRC customized backpack. Sample Image: \nhttps://img.alicdn.com/tfs/TB1kb5Vhsieb18jSZFvXXaI3FXa-800-800.jpg\n\n# Furthermore, those who win the title of the Country’s Best Researcher will be awarded:\n1.\tAn ASRC (Alibaba Security Response Centre) Certificate. Sample Image: https://img.alicdn.com/tfs/TB1xvB5Bi_1gK0jSZFqXXcpaXXa-237-310.png \n2.\tAn ASRC special package includes a backpack, a baseball cap, a sports water bottle and a sticker.  \nHow to be awarded ASRC's Country Best Researcher\n1.\tResearchers who submit the highest number of high and critical vulnerabilities during the promotion process will be rewarded.\n2.\tIf there are 2 or more researchers who come from some country and submit the same number of high or critical severity vulnerabilities, we will award the Country’s Best Researcher title depending on the time of report submissions. \n3.\tIf there are 2 or more researchers who come from a different country and submit the same number of high or critical severity vulnerabilities, we will award all of them the Country’s Best Researcher title. \n\n# Rules of Engagement\n1.\tIMPORTANT: Please indicate the country you’re based at in your report in order for us to determine your eligibility.\n2.\tResearchers from China will not be eligible to participate in this promotion, as there is another ongoing promotion dedicated to them\n3.\tFor us to deliver the prizes to you, we will reach out to retrieve your mailing address. \n\nUsual program rules apply and we’ll be announcing the winners when the campaign concludes.\n\nGood luck and stay safe!\nAlibaba Security Response Center Team\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T09:31:54.870Z"},{"id":3642830,"new_policy":"\n#The Third ASRC's Country Best Researcher Promotion\n\nDear researchers, \n\nWe are excited to let you know that we are launching the ASRC’s Country Best Researcher Promotion starting September 26th, 2020 to reward and show our appreciation to our researchers. Through this promotion, which will run periodically throughout the year, we are on the lookout for the best researchers who can help us identify critical vulnerabilities from each country. \nFor the last two events, we had two really great researchers！\n### ASRC UK's Country Best Researcher is dozybrit (@bpruston)\n### ASRC India's Country Best Researcher is Vishal Singh(@umsvishal)\nThis promotion is a big challenge！We look forward to finding more excellent researchers. Are you ready?\nAll you have to do is surface bugs during the promotion period and we’ll have some special prizes up for grabs!\n\n# Promotion Period: \n26 September to 31 October 2020 (UTC+8)\n\n# Rewards:\nOnly following vulnerabilities are in the scope.\nOther types of valid vulnerabilities will still be rewarded, but are not included in this promotion.\n\n| Category | Description | Severity | Reward |\n| ------------- | ------------- | ------------- | ------------- |\n| Remote code execution\t| RCE on Production Network Servers. By executing command \"curl http://ssrf.asrctest.com\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | Critical | 8000 |\n| SSRF with full response | SSRF on Production Network Servers. By request URL \"http://ssrf.asrctest.com/\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | High | 3000 |\n\n# For submitting at least one valid high or critical vulnerability, of any severity, you will receive:\n1.\tAn ASRC customized backpack. Sample Image: \nhttps://img.alicdn.com/tfs/TB1kb5Vhsieb18jSZFvXXaI3FXa-800-800.jpg\n\n# Furthermore, those who win the title of the Country’s Best Researcher will be awarded:\n1.\tAn ASRC (Alibaba Security Response Centre) Certificate. Sample Image: https://img.alicdn.com/tfs/TB1xvB5Bi_1gK0jSZFqXXcpaXXa-237-310.png \n2.\tAn ASRC special package includes a backpack, a baseball cap, a sports water bottle and a sticker.  \nHow to be awarded ASRC's Country Best Researcher\n1.\tResearchers who submit the highest number of high and critical vulnerabilities during the promotion process will be rewarded.\n2.\tIf there are 2 or more researchers who come from some country and submit the same number of high or critical severity vulnerabilities, we will award the Country’s Best Researcher title depending on the time of report submissions. \n3.\tIf there are 2 or more researchers who come from a different country and submit the same number of high or critical severity vulnerabilities, we will award all of them the Country’s Best Researcher title. \n\n# Rules of Engagement\n1.\tIMPORTANT: Please indicate the country you’re based at in your report in order for us to determine your eligibility.\n2.\tResearchers from China will not be eligible to participate in this promotion, as there is another ongoing promotion dedicated to them\n3.\tFor us to deliver the prizes to you, we will reach out to retrieve your mailing address. \n\nUsual program rules apply and we’ll be announcing the winners when the campaign concludes.\n\nGood luck and stay safe!\nAlibaba Security Response Center Team\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T09:30:56.120Z"},{"id":3642829,"new_policy":"\n#The Third ASRC's Country Best Researcher Promotion\n\nDear researchers, \n\nWe are excited to let you know that we are launching the ASRC’s Country Best Researcher Promotion starting September 26th, 2020 to reward and show our appreciation to our researchers. Through this promotion, which will run periodically throughout the year, we are on the lookout for the best researchers who can help us identify critical vulnerabilities from each country. \nFor the last two events, we had two really great researchers！\n#### ASRC UK's Country Best Researcher is dozybrit (@bpruston)\n#### ASRC India's Country Best Researcher is Vishal Singh(@umsvishal)\nThis promotion is a big challenge！We look forward to finding more excellent researchers. Are you ready?\nAll you have to do is surface bugs during the promotion period and we’ll have some special prizes up for grabs!\n\n# Promotion Period: \n26 September to 31 October 2020 (UTC+8)\n\n# Rewards:\nOnly following vulnerabilities are in the scope.\nOther types of valid vulnerabilities will still be rewarded, but are not included in this promotion.\n\n| Category | Description | Severity | Reward |\n| ------------- | ------------- | ------------- | ------------- |\n| Remote code execution\t| RCE on Production Network Servers. By executing command \"curl http://ssrf.asrctest.com\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | Critical | 8000 |\n| SSRF with full response | SSRF on Production Network Servers. By request URL \"http://ssrf.asrctest.com/\", and returns a page with String \"ewScgt51auzKg\" and a random Request ID | High | 3000 |\n\n# For submitting at least one valid high or critical vulnerability, of any severity, you will receive:\n1.\tAn ASRC customized backpack. Sample Image: \nhttps://img.alicdn.com/tfs/TB1kb5Vhsieb18jSZFvXXaI3FXa-800-800.jpg\n\n# Furthermore, those who win the title of the Country’s Best Researcher will be awarded:\n1.\tAn ASRC (Alibaba Security Response Centre) Certificate. Sample Image: https://img.alicdn.com/tfs/TB1xvB5Bi_1gK0jSZFqXXcpaXXa-237-310.png \n2.\tAn ASRC special package includes a backpack, a baseball cap, a sports water bottle and a sticker.  \nHow to be awarded ASRC's Country Best Researcher\n1.\tResearchers who submit the highest number of high and critical vulnerabilities during the promotion process will be rewarded.\n2.\tIf there are 2 or more researchers who come from some country and submit the same number of high or critical severity vulnerabilities, we will award the Country’s Best Researcher title depending on the time of report submissions. \n3.\tIf there are 2 or more researchers who come from a different country and submit the same number of high or critical severity vulnerabilities, we will award all of them the Country’s Best Researcher title. \n\n# Rules of Engagement\n1.\tIMPORTANT: Please indicate the country you’re based at in your report in order for us to determine your eligibility.\n2.\tResearchers from China will not be eligible to participate in this promotion, as there is another ongoing promotion dedicated to them\n3.\tFor us to deliver the prizes to you, we will reach out to retrieve your mailing address. \n\nUsual program rules apply and we’ll be announcing the winners when the campaign concludes.\n\nGood luck and stay safe!\nAlibaba Security Response Center Team\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T09:29:20.415Z"},{"id":3640704,"new_policy":"ASRC's Country Best Researcher Promotion - Leaderboard\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada has revised the scope and instead now to include ALL Lazada domains. In definition, they are:\n*.lazada.com\n*.lazada.sg\n*.lazada.vn\n*.lazada.com.my\n*.lazada.com.ph\n*.lazada.co.id\n*.lazada.co.th\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-30T12:41:38.090Z"},{"id":3640560,"new_policy":"ASRC's Country Best Researcher Promotion - Leaderboard\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make the best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada scope has a given subdomain lists. Only the following subdomains are in scope:\n- www.lazada.sg\n- pages.lazada.sg\n- checkout.lazada.sg\n- store.lazada.sg\n- cart.lazada.sg\n- member.lazada.sg\n- member-m.lazada.sg\n- my.lazada.sg\n- my-m.lazada.sg\nAll other lazada.sg subdomains and other country sites *.lazada.[vn|co.id|co.th|com.ph|com.my] are out of scope and will not be rewarded.\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-28T06:43:03.417Z"},{"id":3637159,"new_policy":"# UPDATE (29 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| America | wunderwuzzi23  | 0 |\n| Canada | viper  | 0 |\n| India | neelponkia  | 0 |\n| Romania | harisec | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada scope has a given subdomain lists. Only the following subdomains are in scope:\n- www.lazada.sg\n- pages.lazada.sg\n- checkout.lazada.sg\n- store.lazada.sg\n- cart.lazada.sg\n- member.lazada.sg\n- member-m.lazada.sg\n- my.lazada.sg\n- my-m.lazada.sg\nAll other lazada.sg subdomains and other country sites *.lazada.[vn|co.id|co.th|com.ph|com.my] are out of scope and will not be rewarded.\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not be assessed higher than Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only leads to Stored XSS etc.\n\n## Assessment Guidelines for SSRF Vulnerability Severity\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-09T03:22:24.750Z"},{"id":3636898,"new_policy":"# UPDATE (29 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| America | wunderwuzzi23  | 0 |\n| Canada | viper  | 0 |\n| India | neelponkia  | 0 |\n| Romania | harisec | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n\n### Lazada scope\nLazada scope has a given subdomain lists. Only the following subdomains are in scope:\n- www.lazada.sg\n- pages.lazada.sg\n- checkout.lazada.sg\n- store.lazada.sg\n- cart.lazada.sg\n- member.lazada.sg\n- member-m.lazada.sg\n- my.lazada.sg\n- my-m.lazada.sg\nAll other lazada.sg subdomains and other country sites *.lazada.[vn|co.id|co.th|com.ph|com.my] are out of scope and will not be rewarded.\n\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n### SSRF\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-01T12:05:37.052Z"},{"id":3636837,"new_policy":"# UPDATE (29 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| America | wunderwuzzi23  | 0 |\n| Canada | viper  | 0 |\n| India | neelponkia  | 0 |\n| Romania | harisec | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- Stored XSS that need to visit certain URL or need a user interaction\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n### SSRF\nAlibaba has identified four main types of SSRF for its businesses:\n1.SSRF on Production Network Services\n2.Blind SSRF on Production Network Services\n3.SSRF on Cloud Server\n4.Blind SSRF on Cloud Server \n\nPlease note that the severity of SSRFs may range from low to critical. We have prepared a document outlining how SSRF issues will be assessed and to give clarity to our researchers: https://security.alibaba.com/announcement/announcement?id=194.\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-29T13:30:20.463Z"},{"id":3636832,"new_policy":"# UPDATE (29 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| America | wunderwuzzi23  | 0 |\n| Canada | viper  | 0 |\n| India | neelponkia  | 0 |\n| Romania | harisec | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-29T12:35:09.553Z"},{"id":3636831,"new_policy":"# UPDATE (21 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| America | wunderwuzzi23  | 0 |\n| Canada | viper  | 0 |\n| India | neelponkia  | 0 |\n| Romania | harisec | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-29T12:34:34.840Z"},{"id":3636538,"new_policy":"# UPDATE (21 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| Australia | testert1ng | 1 |\n| Latvia | faloker | 0 |\n| Pakistan | zee_shan  | 0 |\n| Turkey | hitoriibocchi | 0 |\n| Vietnam | langduvnsec | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-21T09:32:59.377Z"},{"id":3636155,"new_policy":"# UPDATE (13 MAY 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| Australia | hughesey | 1 |\n| India | pwn_box | 0 |\n| Indonesia | rootbakar_ | 0 |\n| South Korea | rexvuz | 0 |\n| Sweden | p4fg | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-13T09:30:11.670Z"},{"id":3635875,"new_policy":"# UPDATE (30 APRIL 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| Australia | hughesey | 1|\n| Argentina | zonduu | 0|\n| Belgium | honoki | 0 |\n| Brazil | 1991z | 0 |\n| India | shaikhyaser | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n-----------\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-06T03:17:59.044Z"},{"id":3635643,"new_policy":"# UPDATE (30 APRIL 2020): Alibaba's Country Best Researcher Promotion - Leaderboard\n\nHere are our current top researchers from each country:\n\n| Country | Valid Report Hacker Username | Number of high/critical reports |\n| ------------- | ------------- | ------------- |\n| Australia | hughesey | 1|\n| Argentina | zonduu | 0|\n| Belgium | honoki | 0 |\n| Brazil | 1991z | 0 |\n| India | shaikhyaser | 0 |\n\nFor the full list of leaderboard and ranking for each country, please refer to our page on ASRC’s Twitter  https://twitter.com/AsrcSecurity\n\n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-30T09:10:40.679Z"},{"id":3635134,"new_policy":"Alibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-17T03:22:19.392Z"},{"id":3635013,"new_policy":"Alibaba has moved from a Response Program to a private Bug Bounty Program on HackerOne . This is a step for us to recognise and thank the community efforts as and we look forward to working with you. \n\nAlibaba BBP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nAlibaba BBP will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 5 days |\n| Time to Bounty | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Access\nResearchers are free to create their own seller, buyer, etc., accounts on the in-scope applications. No credentials or privileged access will be provided by Alibaba, so accounts are limited to what users can create on their own.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Scope\nFor the first stage of Alibaba's Bug Bounty Program, only listed targets are in scope. \nOther domains/assets owned by Alibaba but not listed, are not in scope and are ineligible for bounty.\n\nYou may submit reports for assets that are previously listed in [Alibaba Response Program](https://hackerone.com/alibaba_vdp) to the ASRC platform here: https://security.alibaba.com/\nWe may add those assets gradually in the next program phase. Stay tuned for updates!\n\n## _Things to note about the Scope_\n### Please note that if an IP belongs to Alibaba Cloud external customer, it's not in scope.\nIf an IP's description contains 'Alicloud' or 'Aliyun' in the search result here: http://wq.apnic.net/static/search.html , there is a high chance this IP belongs to our external Alibaba Cloud external customer, which is not in scope. But please note that this is only a reference, not a hard and fast rule. If you are not sure and the impact is severe enough, you can submit it, and we will look into your report ASAP. \n\n### sellercenter.taobao.com|.tw\nsellercenter.taobao.com|.tw belongs to Lazada, and it's not in this program's scope now.\n\n### Vulnerabilities in:\n \\*.anydomain.com|cn/[\\*/]login.htm\n \\*.anydomain.com|cn/[\\*/]mini[\\*]login.htm\n \\*.anydomain.com|cn/[\\*/]icbu[\\*]login.htm\nor patterns like above URLs,\nwill consider as only ONE valid report because of the same back-end service. Also, vulnerabilities on different \nparams of the same URL is consider as ONE valid report. \n\n### Aliyuncs.com\nFront-end vulnerabilities on aliyuncs.com is not a 'trust' domain in our business. So the XSS, CSRF, Open Redirection etc. are not in scope. But server-end vulnerabilities are in scope.\n\n### Please note that following type vulnerabilities severity will not higher that Medium severity:\nVulnerabilities that requires user visit certain URL or attacker controlled URL, for example: \n- Reflected XSS\n- CSRF\n- CORS\n- Jsonp Hijacking\n- OAuth Hijacking\n- Privilege Escalation\n- Unused or abandoned subdomain takeover\n- Arbitrary file upload that only lead to Stored XSS etc.\n\n\n# Out of scope vulnerabilities\nThe following finding types are specifically excluded:\n· Vulnerabilities affecting users of outdated browsers or platforms\n· Account brute force\n· Account takeover via CSRF/OAUTH etc.\n· Self-XSS\n· Flash-based XSS\n· Tabnabbing\n· Email Spoof\n· Session fixation\n· Content Spoofing\n· Missing cookie flags\n· Best practices/issues\n· HTML content injection\n· Mixed content warnings\n· Clickjacking/UI redressing\n· HTTPS/SSL/TLS Related Issues\n· Physical or social engineering attacks\n· Reflected file download attacks (RFD)\n· Issues that require unlikely user interaction\n· Login/logout/unauthenticated/low-impact CSRF\n· Unverified Results of automated tools or scanners\n· No SPF/DMARC in non-email domains/subdomains\n· Attacks requiring MITM or physical access to a user's device\n· Issues related to networking protocols or industry standards\n· Carriage Return Line Feed injection without direct impact (CRLF)\n· Error information disclosure that cannot be used to make a direct attack\n· Missing security-related HTTP headers which do not lead directly to a vulnerability\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Contacting the team\n* Reports: You can communicate with H1 Team and ASRC Team directly under your H1 report.\n* Events \u0026 Info: ASRC will hold events frequently. See: https://security.alibaba.com/online . You can also follow our [Twitter](https://twitter.com/asrcsecurity) for updates.\n\nThank you for helping keep Alibaba and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-15T04:14:27.361Z"}]