[{"id":3774914,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Active credentials protected by 2FA/MFA will be classified as Low.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Subdomain takeovers on typosquatted domains or parked/reserved domains for phishing\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2026-05-25T15:58:19.199Z"},{"id":3774908,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Subdomain takeovers on typosquatted domains or parked/reserved domains for phishing\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2026-05-25T14:32:21.188Z"},{"id":3773009,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Subdomain takeovers on typosquatted domains or parked/reserved domains for phishing\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-22T08:54:20.421Z"},{"id":3771663,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Application‑layer attacks should be reproduced on a deployment that meets the minimum requirements specified in the product documentation, and in all cases with no less than 1 CPU and 2 GB of RAM.\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-25T04:27:17.214Z"},{"id":3771657,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Volumetric attacks (e.g., network flooding, request flooding, port flooding, required traffic volume scaling with deployment size) are never eligible for bounty rewards.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-24T18:20:59.650Z"},{"id":3770193,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomain takeovers caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Findings in legacy or end-of-life product versions. Security issues must be reproducible on currently maintained releases\n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-25T10:42:11.440Z"},{"id":3770141,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report. Multiple subdomains caused by one underlying record/IP will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, domains, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-24T15:54:50.644Z"},{"id":3769402,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Security issues in third party systems, services and components fall outside this policy and are not eligible for a bounty. We encourage you to submit these to the third party owner. In cases where the third party owner cannot be contacted or is unresponsive, we will be happy to assist with communication if a report is submitted to us.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-09T15:40:50.446Z"},{"id":3767378,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Application-level Denial of Service attacks against Swiftype\n* Cross-site scripting vulnerabilities that are not accompanied by a bypass of our content security policy. Cross-site scripting vulnerabilities without a content security bypass will be assessed on a case by case basis and might be rewarded at a low severity level.\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-15T12:38:13.189Z"},{"id":3766203,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n* Application-level Denial of Service attacks against Swiftype\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-17T09:08:52.900Z"},{"id":3765647,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n* Findings that require administrative level of access to our products and where the impact/severity is limited to Low for Availability. \n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-06T15:48:44.678Z"},{"id":3765640,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will not be awarded a bounty.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-06T15:10:28.148Z"},{"id":3761624,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIEVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek, goldenstone\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will not be awarded a bounty.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n* Findings that require administrative or root operating system privileges are out of scope. Administrators are very powerful, free to modify or downgrade the OS. Elastic aligns with the MSRC's stance that the boundary between an administrator and the kernel is not a security boundary. https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-22T09:43:47.597Z"},{"id":3753696,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIEVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek, goldenstone\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will not be awarded a bounty.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-14T15:09:19.378Z"},{"id":3708725,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek, goldenstone\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will not be awarded a bounty.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n* Recent acquisitions by Elastic are out of Scope for the Bug Bounty program for at least 6 months after the acquisition is complete. Reports received sooner than that will not qualify for a reward.\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-07T05:19:03.684Z"},{"id":3708537,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek, goldenstone\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will not be awarded a bounty.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-04T20:03:19.148Z"},{"id":3704382,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek, goldenstone\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-02T16:09:18.448Z"},{"id":3689989,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-27T11:02:58.603Z"},{"id":3689988,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n### ELASTIC SYNTHETICS PROMOTION\n\nWhile currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our [Synthetics Recorder application](https://github.com/elastic/synthetics-recorder). \n\nTo get access, do the following steps:\n\n1. Create a new deployment on cloud using an account with your @wearehackerone.com email alias.\n2. Once in the deployment, go to the Observability application and pick the \"Uptime\"\n3. Go to the Monitor Management tab\n4. Fill out the request form.\n5. Wait 24 hours for our team to approve you.\n6. Find bugs\n7. Get paid!\n\nBecause we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $6,000-$14,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $3,000-$6,000  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $1,400-$3,000   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $300-$1,400   \t\t| 0.1 - 3.9  \t|\n\nPlease reach out to security@elastic.co if you have any questions about this promotion!\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-27T10:31:25.895Z"},{"id":3675841,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n### ELASTIC SYNTHETICS PROMOTION\n\nWhile currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our [Synthetics Recorder application](https://github.com/elastic/synthetics-recorder). \n\nTo get access, do the following steps:\n\n1. Create a new deployment on cloud using an account with your @wearehackerone.com email alias.\n2. Once in the deployment, go to the Observability application and pick the \"Uptime\"\n3. Go to the Monitor Management tab\n4. Fill out the request form.\n5. Wait 24 hours for our team to approve you.\n6. Find bugs\n7. Get paid!\n\nBecause we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $6,000-$14,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $3,000-$6,000  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $1,400-$3,000   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $300-$1,400   \t\t| 0.1 - 3.9  \t|\n\nPlease reach out to security@elastic.co if you have any questions about this promotion!\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing, mateuszek\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-08T17:03:41.157Z"},{"id":3674337,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n### ELASTIC SYNTHETICS PROMOTION\n\nWhile currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our [Synthetics Recorder application](https://github.com/elastic/synthetics-recorder). \n\nTo get access, do the following steps:\n\n1. Create a new deployment on cloud using an account with your @wearehackerone.com email alias.\n2. Once in the deployment, go to the Observability application and pick the \"Uptime\"\n3. Go to the Monitor Management tab\n4. Fill out the request form.\n5. Wait 24 hours for our team to approve you.\n6. Find bugs\n7. Get paid!\n\nBecause we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $6,000-$14,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $3,000-$6,000  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $1,400-$3,000   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $300-$1,400   \t\t| 0.1 - 3.9  \t|\n\nPlease reach out to security@elastic.co if you have any questions about this promotion!\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-13T17:06:57.172Z"},{"id":3674334,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\n### ELASTIC SYNTHETICS PROMOTION\n\nWhile currently in open-beta, we want your help in finding security vulnerabilities on both our cloud Synthetics monitors, and our [Synthetics Recorder application](https://github.com/elastic/synthetics-recorder). \n\nTo get access, do the following steps:\n\n1. Create a new deployment on cloud using an account with your @wearehackerone.com email alias.\n2. Once in the deployment, go to the Observability application and pick the \"Uptime\"\n3. Go to the Monitor Management tab\n4. Fill out the request form.\n5. Wait 24 hours for our team to approve you.\n6. Find bugs\n7. Get paid!\n\nBecause we're excited to see vulnerabilities on this product, we're offering a 100% bonus on any vulnerabilities on this feature! That puts our bounties at:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $6,000-$14,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $3,000-$6,000  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $1,400-$3,000   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $300-$1,400   \t\t| 0.1 - 3.9  \t|\n\nPlease reach out to security@elastic.co if you have any questions about this promotion!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-13T17:05:34.634Z"},{"id":3673309,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n* Issues where an attacker gets access to paid features for free or at a discount\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-24T16:10:47.309Z"},{"id":3670129,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|  mateuszek\n \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-21T17:38:00.480Z"},{"id":3668760,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|   \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-01T15:44:58.732Z"},{"id":3661796,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|   \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n* Broken links in documentation\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-16T16:57:26.274Z"},{"id":3659016,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|   \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Lack of Rate limiting or bruteforce issues \n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-29T16:47:17.159Z"},{"id":3656677,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nOur code is [open](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|   \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-11T15:39:32.059Z"},{"id":3656596,"new_policy":"The Elastic team appreciates the security community and shares the goal of keeping our businesses, customers, and the internet safe. Elastic values your efforts and promises to remain responsive; update you as your reports are triaged and remediated. We award bounty eligible reports at triage and hope to work together on an ongoing basis.\n\n\nElastic's bounty structure falls under two umbrellas: Product Vulnerabilities \u0026 Other. While we accept vulnerabilities on any assets that we own/control, we are _particularly_ interested in vulnerabilities in our products, and as such will pay significantly more as indicated in our bounty structure.\n\n##PRODUCT BUG BOUNTY AMOUNTS\n\nWe are specifically interested in any/all bugs related to the Elastic suite of products. Find an IDOR in Elasticsearch? Report it. Find an XSS in Kibana? Report it. If we wrote code with a bug in it, we want to know about it!\n\nWe're also entirely [open source](https://github.com/elastic) so use that to your advantage!\n\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $3,000-$7,000\t\t| 9.0 - 10.0 \t|\n| High     \t\t| $1,500-$3,000\t\t| 7.0 - 8.9  \t|\n| Medium   \t| $700-$1500   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $150-$700   \t\t| 0.1 - 3.9  \t|\n\n##OTHER BOUNTY AMOUNTS\n\nAny other bugs that aren't specifically in one of our products (ie: information disclosure on an insecure server, subdomain takeover, exposed API keys, etc) will be paid on the following table:\n\n| SEVERITY \t| REWARD \t| CVSS SCORE \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| Critical \t\t| $800-$2,000  \t\t| 9.0 - 10.0 \t|\n| High     \t\t| $400-$800  \t\t| 7.0 - 8.9  \t|\n| Medium   \t| $200-$400   \t\t| 4.0 - 6.9  \t|\n| Low      \t\t| $100-$200   \t\t| 0.1 - 3.9  \t|\n\n##SPECIAL ACHIEVEMENTS\n\nThese achievements will rotate as our program grows/matures. So keep an eye out for new achievements!\n\n| ACHIVEMENT \t| BONUS \t| Hacker \t|\n|----------\t\t|------------\t\t| --------\t\t|\n| **Regicide** - Displace the current leaderboard leader. Can only be claimed by each researcher once. \t\t| $1,000 \t\t| subhashx , d0xing, dee-see, alexbrasetvik|\n| **For Crying out Cloud** - Work-around a fix for an existing bug on  Cloud     \t\t| $200  \t\t|  \t|\n| **Elastic it to The Man** - Be the first hacker to achieve RCE on Cloud    \t| $5,000  \t\t|  alexbrasetvik \t|\n| **Master of Puppets** - Be the first hacker to achieve ATO on Cloud      \t\t| $5,000   \t\t|   \t|\n| **Space Invaders** - Give yourself access to a Kibana space which you don't have access to \t\t| $500 \t\t|  \t|\n| **Stairway to Seven** - Report 7 consecutive valid bugs     \t\t| $700  \t\t|  streaak, alexbrasetvik, dee-see, d0xing\t|\n| **Key-nesian Economics** - Find sensitive API keys/credentials committed in our source code  \t| $500  \t\t|   \t|\n|       \t\t|    \t\t|   \t|\n\n\n## ELASTIC BUG BOUNTY EVENTS!\n\nWe're excited to announce that we will be running regular events over the next year targeting specific products/vulnerabilities! These events will pay increased awards for qualifying vulnerabilities.\n\nWe are currently in-between events - stay tuned in the coming weeks for our next event announcement!\n\n\n## What we're interested in\n* Attacks that lead to compromise of Elastic user data\n* Widespread compromise of Elastic user accounts\n* Remote code execution on systems and applications\n* Access to administrator/superuser accounts\n* Arbitrary access to a user’s sensitive data/functionality\n* Kibana XSS and CSRF\n* Bypass JSM restrictions\n* Access to underlying containers\n* Access to unauthorized data as authenticated user\n* Privilege escalation as authenticated user to non superuser\n* Authenticated SSRF\n* Sites accepting authentication without https protections\n\n#Expectations\n* If you report a subdomain takeover, please document your findings in order to write the report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\nScope\n* Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Elastic.\n\n\n#Disclosure\n* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. \n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nMultiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n##Out of scope\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:\n*Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Issues that require unlikely user interaction\n* Open Redirects that are not chained into a more impactful vulnerability\n\n# Stipulations\nTo be eligible for the Bug Bounty Program, you must not:\n* Be employed by Elastic or any subsidiary;\n* Be a former employee or contractor (including outsourced penetration tester)of Elastic or any subsidiary that has left the company less than `6` months ago.\n\n\n# Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Elastic and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-10T20:01:44.031Z"}]