[{"id":3751525,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\nBy participating in this program, you agree to the following:\n* **Do not exploit a vulnerability** - You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. Do not download or otherwise store data you collect, access, or modify data that you do not own without the data owner’s express written consent (which you must produce upon request), or disrupt our products or services in a manner that can adversely affect other users. Do not access, alter, store, transfer, use, or otherwise interact with data beyond what is strictly needed to submit a good-faith report.\n* **Maintain confidentiality** - You will not discuss this program or any vulnerabilities (even resolved ones) outside of the program without Bending Spoons' written consent.\n* **Report inadvertent access** - Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder. If you inadvertently access another person’s data or Bending Spoons’ data without authorization, promptly cease any activity that could lead to further access. Notify Bending Spoons about what information was accessed (including details of the contents), then immediately delete that information from your systems and confirm to Bending Spoons that you have done so. You may not share the inadvertently accessed information with anyone else. Continuing to access such data may disqualify you from the Safe Harbor protections. You must include an acknowledgment of the inadvertent access in your report.\n* **Respect the rules** - You will follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) and comply with all applicable laws in connection with your vulnerability research activities. You must not perform any attacks based on social engineering, distributed denial of service (or any attack using large volumes of requests), spam, or physical security.\n\n# Program Rules\n* Testing our support form and submitting tickets to support is strictly prohibited.\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.\n* Self-XSS and issues exploitable only through Self-XSS.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints.\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced.\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues).\n* Missing HttpOnly or Secure flags on cookies.\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Issues that require unlikely user interaction.\n* Third party hosted services.\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price.\n* Broken links to external domains in our blog and marketing pages.\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-11T13:58:37.900Z"},{"id":3731040,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigating an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines), and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* Testing our support form and submitting tickets to support is strictly prohibited.\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.\n* Self-XSS and issues exploitable only through Self-XSS.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints.\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced.\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues).\n* Missing HttpOnly or Secure flags on cookies.\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Issues that require unlikely user interaction.\n* Third party hosted services.\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price.\n* Broken links to external domains in our blog and marketing pages.\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-26T14:33:12.839Z"},{"id":3706600,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigating an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines), and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.\n* Self-XSS and issues exploitable only through Self-XSS.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints.\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced.\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues).\n* Missing HttpOnly or Secure flags on cookies.\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages).\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing.\n* Open redirect - unless an additional security impact can be demonstrated.\n* Issues that require unlikely user interaction.\n* Third party hosted services.\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price.\n* Broken links to external domains in our blog and marketing pages.\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-06T10:25:38.858Z"},{"id":3706599,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigating an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines), and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-06T10:24:18.901Z"},{"id":3706598,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigating an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines), and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-06T10:22:54.811Z"},{"id":3706510,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigation an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, HackerOne's disclosure guidelines, and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-04T13:30:05.264Z"},{"id":3706509,"new_policy":"# Evernote Bug Bounty Policy\nEvernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Terms\n* You must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* You will only interact with your own account(s).\n* You will not exploit any vulnerability (including facilitating any third-party exploitation) beyond the minimal amount of testing required to prove that a vulnerability existed or to identify an indicator related to a vulnerability. You will not conduct testing outside of your own account(s) or another account for which you have the explicit written consent of the account owner to test. \n* You will not exfiltrate any data under any circumstances.\n* You will never attempt to access, modify, or use anyone else’s account or data. While investigation an issue, if you inadvertently access another person's data or Evernote data without authorization, you must promptly cease any activity that might result in further access of such data and notify Evernote of what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system and report to Evernote that you have done so. Continuing to access another person's data or Evernote data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor outlined below. You must also acknowledge the inadvertent access in any related bug bounty report you submit. You may not share the inadvertently accessed information with anyone else.\n* You will not intentionally violate any applicable laws, including  laws prohibiting unauthorized access to data.\n* You will make a good faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data, interruption or degradation of our services, and harming the user experience. \n* You must follow this Evernote Bug Bounty Policy, HackerOne's disclosure guidelines, and any other relevant agreements. In case of any inconsistency, this policy takes precedence. \n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n* You agree to cooperate with Evernote, including by answering any questions we may ask you in a timely manner and in good faith.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-04T13:29:01.559Z"},{"id":3698275,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to obtain that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-14T18:21:25.905Z"},{"id":3698274,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n* Reports that solely contain a list of compromised email, password pairs belonging to users without demonstrating the exploit used to harvest that list.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-14T18:21:11.094Z"},{"id":3697708,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be a current or a former employee of Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-12T12:03:35.546Z"},{"id":3684129,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be employed by Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n* Broken links to external domains in our blog and marketing pages\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-27T16:43:40.857Z"},{"id":3683208,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be employed by Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n* Vulnerabilities that allow for users to use our products and services for free or for a cheaper price\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-08T20:09:29.246Z"},{"id":3660088,"new_policy":"Evernote is the go-to app that helps millions of people worldwide remember everything and accomplish anything. It's important to us that our customer experience be both private and secure. We strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies, and appreciate the community’s efforts in creating a more secure world.\n\n# Response Targets\nEvernote will try to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 5 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* This is a private program, and you must not discuss this program or any vulnerabilities (even resolved ones) outside of the program without the express written consent of Evernote.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* All automated scanning must include your H1 username in the `user agent` in order to be eligible for bounty.\n* All authenticated testing must be performed using @wearehackerone aliases.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden. To prevent being locked out, please throttle automated testing.\n* Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own, or with accounts for which you have the express written permission of the account holder.\n* You must not be employed by Evernote or its subsidiaries or related entities.\n\n# Test Plan\n* www.evernote.com (excluding evernote.com)\nhttps://www.evernote.com/Login.action is the major access point for our customers to use our service through web browsers. This domain also provides the backend APIs for our desktop and mobile clients. Feel free to create test accounts using your @wearehackerone alias. Please conduct your testing mainly on our production server as we have protection, such as rate limiting, enabled on production.\n* stage.evernote.com is the corresponding staging environment. For any accounts (Premium, Plus, Evernote Business) that may require payment information, this staging environment allows use of test credit card numbers: \nhttps://docs.adyen.com/development-resources/test-cards/test-card-numbers\n\n# Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions\n* Password, email and account policies, such as email id verification, reset link expiration, password complexity.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Self-XSS and issues exploitable only through Self-XSS\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Hosting malware/arbitrary content on Evernote and causing downloads.\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Reports from automated tools or scans.\n* Reports of spam (i.e., any report involving ability to send emails without rate limits).\n* Login/Forgot Password page account bruteforce or account lockout not enforced\n* Missing best practices in Content Security Policy or best practice security headers (Including Cross-Origin Resource and Host header issues)\n* Missing HttpOnly or Secure flags on cookies\n* Presence of autocomplete attribute on web forms.\n* Any report that discusses how you can learn whether a given username, email address has a Evernote account.\n* Any access to data where the targeted user needs to be operating a rooted mobile device.\n* Any report on bypassing our storage limits etc. is out of scope.\n* Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.\n* Absence of rate limiting, unless related to authentication.\n* IP/Port Scanning via Evernote services unless you are able to hit private IPs or Evernote servers.\n* Devices (ios, android, desktop apps) not getting unlinked on password or 2FA change.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors, HTTP 404 codes/pages or other HTTP non-200 codes/pages)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Third party hosted services\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Evernote and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-15T18:31:12.192Z"}]