American multinational conglomerate holding company AT&T has announced the launch of its public bug bounty program on HackerOne.

Revealed on 6 August, the new program will award security researchers who submit reports on eligible vulnerabilities that affect AT&T’s websites, mobile apps, devices and exposed APIs. In-scope flaws include weaknesses that affect the confidentiality or integrity of user data or privacy, enable individuals to obtain unauthorized access to important data/resources or enable the execution of unauthorized code, among other properties. By contrast, the vulnerability disclosure program does not support bugs that breed attacks against the company’s infrastructure, social attacks or distributed denial-of-service (DDoS) attacks.

AT&T’s program will award as much as $2,000 for a report on an eligible critical-level vulnerability. That reward amount drops to $750 and $300 for researchers who properly disclose a flaw of high and medium severity, respectively. At the very bottom of its award hierarchy, the company will reward $150 to researchers who uncover low-level vulnerabilities.

AT&T’s bug bounty reward structure.

Those wishing to participate in the new program will need to register and/or log into their account with HackerOne. Once they’ve discovered a viable vulnerability, they should make sure that their report includes the details and tools needed to reproduce the flaw. They can then expect to hear back from the company within one business day after submitting their report.

That being said, not all eligible reports will produce an award. AT&T won’t issue a bounty if someone submits a duplicate submission of a vulnerability already covered. It will also not reward those who fail to abide by the principles of responsible disclosure. Not only that, but the company said it might even take punitive action in those cases.

You must submit your report as soon as you have discovered a potential vulnerability. By submitting the (Read more...)