While we are trying our best to keep OVH services as safe as possible, We know that some vulnerabilities have slip trough our scrutiny.
If you believe you've found a security issue in the services listed in our scope, we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.
English and French spoken !
Nous parlons anglais et français !
The scope of this program is limited to security vulnerabilities found in :
- Private Cloud product (for more information: https://www.ovh.com/us/dedicated-cloud/)
- www.ovh.com (excluding : /managerv3/* and /soapi/* uri)
Note that BETA feature are also eligible.
A lot of API endpoint work with OVH purchased products.
OVH will refund a 30-day period to hunters having submitted a confirmed vulnerability on the product.
Vulnerabilities reported on other services or applications are currently not eligible for monetary reward and will be handle as a responsible disclosure. We will do our best to give you some cool gifts. As they come into scope, they will be added to this section.
We are happy to work with everyone who submits valid reports which help us improve the security of OVH.
However, only those that meet the following eligibility requirements may receive a monetary reward:
• You need to be the first person to responsibly disclose an unknown issue
• Any vulnerability found must be reported no later than 24 hours after discovery.
• You are not allowed to disclose details about the vulnerability anywhere else.
• You must avoid tests that could cause degradation or interruption of our service.
• You must not leak, manipulate, or destroy any user data.
• You are only allowed to test against accounts you own yourself.
• The use of automated tools or scripted testing is not allowed
• You must not be a former or current OVH employee.
• Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.
• Disclose the vulnerability report exclusively through bountyfactory.io.
We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us at least every five working days.
Note that posting details or conversations about the report or posting details that reflect negatively on the program and the OVH brand, will result in immediate disqualification from the program.
OVH may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is €50 and our maximum rewards is €10,000. Rewards amounts vary depending upon the severity of the vulnerability reported.
OVH reserves the right to decide if the minimum severity threshold is met and whether the scope of the reported vulnerability is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of OVH. To qualify for a reward under this program, you should respect all the above-mentioned eligibility criterias.
Payments are made through bountyfactory.io only.
Security researchers may elect to donate their bounty to a non-profit organization of their choice. In this case, the bounty amount will be doubled.
Our bug bounty program is limited strictly to technical security vulnerabilities of OVH services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.
The following are strictly prohibited:
• Denial of Service and brute forcing attacks.
• Physical attacks against offices and data centers.
• Social engineering of our service desk, employees or contractors.
• Compromise of a OVH users or employees accounts
• Use of a tool that generates a significant volume of traffic.
Additionally, the following vulnerabilities will not be considered for bounty:
• Cross site request forgery (CSRF and XSRF)
• Cross domain leakage
• Information disclosure
• XSS attacks via POST requests or self XSS (unless you provide a PoC that show impact on other OVH customers)
• HttpOnly and Secure cookie flags
• HTTPS related (such as HSTS)
• Session timeout
• Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
• DKIM/SPF/DMARC issues
You are responsible for paying any taxes associated with rewards. We reserve the right to modify the terms of this program or terminate this program at any time. You must comply with all applicable laws in connection with your participation in this program.
If needed, OVH will coordinate public notification of a validated vulnerability with you.
Thank you for helping keep OVH services safe!