Bug Bounty

Outbrain is The Leading Recommendation Platform for the Open Web. We connect users to their interests and help them explore the internet.

No technology is perfect.

We believe that working with skilled security researchers from across the globe is crucial to identifying the weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome any contribution that helps us keep our users safe and to work with you to resolve the issue promptly.

Vulnerability Reporting Policy:

Eligibility to Participate:

To participate in our Bug Bounty Program,you must not:

• Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
• Be employed by Outbrain or its subsidiaries (including former employees that have left Outbrain within the prior 12 months);
• Be an immediate family member of a person employed by Outbrain Inc. or its subsidiaries or affiliates;
• Be less than 14 years of age unless you have obtained your parent’s or legal guardian’s permission prior to participating in the program.

Rules of Engagement:

• Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.
• Never use a finding to compromise other systems. Use a proof of concept only to demonstrate an issue.
• Any sensitive information, such as personal information or credentials, accessed as part of a vulnerability must not be saved, stored, transferred, accessed, or processed after initial discovery. All copies of sensitive information must be returned to Outbrain and may not be stored.
• Researchers may not engage in any activity that would be disruptive, damaging or harmful to Outbrain, its brands or its users. This includes: social engineering, phishing, physical security, brute force attacks and denial of service attacks against users, services, employees, or Outbrain as a whole.

Confidentiality

• Researchers must strictly comply with all confidentiality guidelines, requirements and obligations
• Researchers may not publicly disclose vulnerabilities or share any details whatsoever without Outbrain’s explicit written permission, including on social media or otherwise.

Safe Harbor:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Disclosure of Vulnerabilities:

Testing:

Web traffic to and from Outbrain properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Outbrain bug bounty programs:

• Where possible, register accounts using your  <username>@wearehackerone.com addresses.
• Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
• Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.  X-Bug-Bounty: HackerOne-<username>

When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:

• Read:$ cat /etc/hostname
• Write:$ touch ~/hackerone-<your H1 username>
• Execute:$ hostname

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.

Reporting

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

• Description of the vulnerability
• Steps to reproduce the reported vulnerability. Please include screenshots, videos or any other material that can help us reproduce the vulnerability.
• List of URLs and affected parameters
• Proof-of-Concept code
• Browser, OS and/or app version used during testing All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.

Response:

Outbrain will make a best effort to adhere to the following response targets:

Scope:

Domains in scope:

• www.outbrain.com
• my.outbrain.com
• api.outbrain.com
• odb.outbrain.com
• www.zemanta.com
• one.zemanta.com
• oneapi.zemanta.com
• widgets.outbrain.com
• Outbrain Android SDK
• Outbrain iOS SDK

The following issues are considered out of scope:

• Those that resolve to third-party services
• Issues that do not affect the latest version of modern browsers
• Issues that we are already aware of or have been previously reported
• Cross-site Request Forgery with minimal security impact
• General best practice concerns
• Missing Security HTTP Headers (without proof of exploitability)
• All Flash-related bugs
• Any behavior that is designed by the product and is fully intentional behavior

Multiple bug reports that involve the same vulnerability but are on a different host, path or parameter will be considered as duplicated reports. Please report only the first that is discovered and include the others in the original report.

Access:

• All access to authenticated routes should be done using a HackerOne email address: `<username>@wearehackerone.com`
• In order to access the Outbrain Dashboard please sign up with your HackerOne email address at: https://my.outbrain.com/amplify/funnel/
• If you require additional access to the Outbrain API, please make sure you registered to the Outbrain Dashboard first and then send an email to bugbounty@outbrain.com with your HackerOne email address requesting access
• If you require access to the Zemanata dashboard or API, please send an email to bugbounty@zemanta.com with your HackerOne email address requesting access

Rewards:

How is the severity determined?

Outbrain reserves the right to make a final decision regarding the severity of a reported finding. Upon receipt of the finding, we will conduct an internal investigation and determine the severity of the finding by considering multiple factors including but not limited to:

• The quantity of affected users and data
• The sensitivity and classification of the affected data, and the security requirements surrounding it
• The impact to the affected data's confidentiality, integrity, or availability
• The privilege level required to exploit
• A working and reproducible proof of concept
• The difficulty to exploit
• Whether it requires user interaction
• Other, if any, mitigating factors or exploit scenario requirements While we try to be as consistent as possible with rewards, our program is also evolving and rewards may change accordingly to how our program evolves with time.

Valued Vulnerabilities

Here are some examples of common vulnerabilities and their classified severity range. Vulnerabilities not listed in the table are eligible as long as you follow the rules of the program.

A valid submission will automtically add you to our official bug bounty program on HackerOne, which will allow you to submit more findings through the HackerOne platform directly.