submit bug report:https://www.acronis.com
Policy
Acronis looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Rules for us
We respect the time and effort of our researchers
We will respond within 5 business days
We will process reports within 10 business days
We will determine bounty amount within 10 business days after triage
We will do our best to keep you informed about our progress throughout the process
Rules for you
Be an ethical hacker and respect other users' privacy
Automated scanning tools must be limited to 5 requests per second to one target host summing up all tools and threads running in parallel
Violation of these rules might result in ineligibility for a bounty or permanent ban
Social engineering (e.g. phishing, vishing, smishing) is prohibited
Only interact with accounts you own or with the explicit permission of the account holder
If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Acronis and may not be retained
Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Acronis or other users' accounts or data or post-exploitation of other vulnerabilities. Stop, report what you have found and request additional testing permission
Use the following commands to demonstrate command execution vulnerabilities
Non-root Root
id id
cat /etc/hosts cat /proc/1/maps
touch ~/[your H1 username] touch /root/[your H1 username]
Recommendations
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted
If you are submitting DLL files as part of your exploit, be sure to include the source code for them as well. Doing so helps us verify your proof of concept more accurately and quickly
Quickstart Guide
Acronis Cyber Protect Cloud documentation is available at developer.acronis.com
You can find quickstart guides and more information about Acronis products and services at kb.acronis.com
Note that some vulnerabilities may already be fixed in the beta versions (check assets description)
Rewards
When duplicates occur, we only award the first report that we receive
If a vulnerability is fixed in the beta version we will consider it as duplicate
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
Public Disclosure
Follow HackerOne's disclosure guidelines
No vulnerability disclosure is allowed without express consent from Acronis. This rule applies to any vulnerability details as well as information obtained during exploitation even for resolved issues
We may request up to 180 days of additional time after disclosure request or report resolution to remediate the issue. This time is usually required to distribute the fixed version among our customers
Besides disclosing reports on HackerOne, we also publish details about discovered vulnerabilities and corresponding security updates in Acronis Advisory Database
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Acronis and our users safe!
