[{"id":3768694,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\"\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Excluded endpoints\",\"details\":\"\\\"helix.verily.com\\\" and \\\"enroll.onduo.com\\\" are excluded from this program's scope. Contact forms endpoints such as https://verily.com/contact-us and https://verily.com/solutions/public-health/wastewater/contact are also not in scope for this program.\"}","{\"category\":\"Subdomain takeover issues\",\"details\":\"Reports related to stale DNS records, subdomain takeovers or dangling IPs are out-of-scope for this program and will not be rewarded. Verily is working on an internal DNS hygiene solution to resolve these issues.\"}"],"timestamp":"2026-01-23T08:26:28.281Z"},{"id":3766528,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Excluded endpoints\",\"details\":\"\\\"helix.verily.com\\\" and \\\"enroll.onduo.com\\\" are excluded from this program's scope. Contact forms endpoints such as https://verily.com/contact-us and https://verily.com/solutions/public-health/wastewater/contact are also not in scope for this program.\"}","{\"category\":\"Subdomain takeover issues\",\"details\":\"Reports related to stale DNS records, subdomain takeovers or dangling IPs are out-of-scope for this program and will not be rewarded. Verily is working on an internal DNS hygiene solution to resolve these issues.\"}"],"timestamp":"2025-11-24T18:50:01.062Z"},{"id":3764698,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"helix.verily.com\\\" and \\\"enroll.onduo.com\\\" are excluded from this program's scope. Contact forms endpoints such as https://verily.com/contact-us and https://verily.com/solutions/public-health/wastewater/contact are also not in scope for this program.\"}","{\"category\":\"Subdomain takeover issues\",\"details\":\"Reports related to stale DNS records, subdomain takeovers or dangling IPs are out-of-scope for this program and will not be rewarded. Verily is working on an internal DNS hygiene solution to resolve these issues.\"}"],"timestamp":"2025-10-15T21:41:07.091Z"},{"id":3751291,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"helix.verily.com\\\" and \\\"enroll.onduo.com\\\" are excluded from this program's scope. Contact forms endpoints such as https://verily.com/contact-us and https://verily.com/solutions/public-health/wastewater/contact are also not in scope for this program.\"}"],"timestamp":"2025-03-05T23:09:28.379Z"},{"id":3750510,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"helix.verily.com\\\" and \\\"enroll.onduo.com\\\" are excluded from this program's scope.\"}"],"timestamp":"2025-02-19T18:41:54.260Z"},{"id":3750018,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following subdomains are excluded from this program's scope - \"enroll.onduo.com\" and \"helix.verily.com\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"enroll.onduo.com\\\" is excluded from this program's scope. Testing is prohibited on this subdomain and any related reports will not be accepted.\"}"],"timestamp":"2025-02-11T23:33:39.237Z"},{"id":3749156,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following endpoints are excluded from this program's scope - \"https://enroll.onduo.com/insurance_support\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"enroll.onduo.com\\\" is excluded from this program's scope. Testing is prohibited on this subdomain and any related reports will not be accepted.\"}"],"timestamp":"2025-01-30T22:23:36.052Z"},{"id":3749140,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Using tools that perform DNS brute forcing of any kind is prohibited.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following endpoints are excluded from this program's scope - \"https://enroll.onduo.com/insurance_support\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"https://enroll.onduo.com/insurance_support\\\" is excluded from this program's scope. Testing is prohibited on this endpoint and any related reports will not be accepted.\"}"],"timestamp":"2025-01-30T18:54:28.714Z"},{"id":3748591,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* The following endpoints are excluded from this program's scope - \"https://enroll.onduo.com/insurance_support\".\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"https://enroll.onduo.com/insurance_support\\\" is excluded from this program's scope. Testing is prohibited on this endpoint and any related reports will not be accepted.\"}"],"timestamp":"2025-01-22T23:01:09.896Z"},{"id":3748590,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded endpoints\",\"details\":\"\\\"https://enroll.onduo.com/insurance_support\\\" is excluded from this program's scope. Testing is prohibited on this endpoint and any related reports will not be accepted.\"}"],"timestamp":"2025-01-22T22:58:09.017Z"},{"id":3748589,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}","{\"category\":\"Excluded subdomains\",\"details\":\"\\\"enroll.enduo.com\\\" is excluded from this program's scope. Reports related to this subdomain will not be accepted.\"}"],"timestamp":"2025-01-22T22:22:47.933Z"},{"id":3746915,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of our users, customers and partners. We look forward to working with the security research community to discover and address vulnerabilities in our products.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}"],"timestamp":"2024-12-18T19:21:48.595Z"},{"id":3746914,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to building trust and protecting the privacy and security of user health data. We look forward to working with the security research community to discover and address vulnerabilities in our products and systems.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}"],"timestamp":"2024-12-18T19:19:24.733Z"},{"id":3746913,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to protecting the privacy and security of user health data. We look forward to working with the security research community to discover and address vulnerabilities in our products and systems.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}"],"timestamp":"2024-12-18T19:15:17.147Z"},{"id":3746906,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! Verily is committed to safeguarding the privacy and security of our users. We look forward to working with the security research community to discover and address vulnerabilities in our products and systems.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Recent acquisitions\",\"details\":\"Newly acquired companies are subject to a six-month blackout period to allow for reviews. Bugs reported sooner than that will not qualify for rewards.\"}","{\"category\":\"Third-party websites\",\"details\":\"Verily-branded services hosted on third-party domains may be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward bugs found on these systems. Please examine domain and IP WHOIS records to confirm or reach out to us!\"}"],"timestamp":"2024-12-18T19:09:47.212Z"},{"id":3746806,"new_policy":"# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Ask the program team before submitting vulnerabilities on assets that have not been explicitly listed in the program scope. Submissions will be accepted and reviewed by the team only if the asset is confirmed to be Verily-owned.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Attacks that affect the availability of Verily's services such as denial-of-service attacks are prohibited. Please avoid using scanners or vulnerability testing tools that generate high volumes of traffic to avoid being flagged by our monitoring systems.\n* Leveraging black hat SEO techniques, spamming people, breaking and entering into Verily offices are also prohibited. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Vulnerability disclosures that do not qualify for rewards through this program include URL redirections, vulnerabilities requiring unlikely or impractical user interaction steps, \"logout\" cross-site request forgery, banner or version information leaks, and user enumeration. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for free accounts through some of our in-scope domains and mobile apps. We do not provide credentials for testing at this time.\n* Please use your **hacker email alias** (e.g. h1username@wearehackerone.com) when testing.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]\n\nThank you for helping keep Verily and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-18T02:07:42.143Z"}]