avatar
Bug bounty
Public
Submit report

Harman International Lifestyle Products & Services

HARMAN designs and engineers c​onnected products and solutions for automakers, consumers, and enterprises worldwide, including connected car systems, audio and visual products, enterprise automat​ion solutions; and connected services. Our talented workforce and innovation strength create value for our stakeholders by enabli​ng rich experiences through the connected car, connected enterprise and connected lifestyle. Audi​​ophiles from every generation call on HARMAN to deliver the best in sound in the studio and on the stage, at home and on the go. HARMAN’s portfolio of legendary audio brands includes AKG®, Harman Kardon®, Infinity®, JBL®, Lexicon®, Mark Levinson®and Revel®. More than 50 million vehicles on the road today enjoy an enhanced driving experience, thanks to HARMAN audio and infotainment. We extend the same spirit of innovation to the world’s leading performance and sporting venues, providing everyone with the best seats in the house. Seizing the rich opportunities of today’s global markets requires more than legendary sound. HARMAN has reshaped our organization and cost structure to make the Company more agile in a changing world and addressed the rising importance of highly integrated, software-rich products and services. Most importantly, our track record of innovation, which has distinguished HARMAN and its premium audio and infotainment brands for more than 60 years, continues.

Reward

Bounty
Hall of fame
$100
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000

Program

Avg reward
-
Max reward
-
Scopes
27
Supported languages
English
German
Hindi

Hacktivity

Reports
93
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
2

Company

HARMAN International is a global leader in connected car technology, lifestyle audio
innovations, design and analytics, cloud services and IoT solutions.

About our Scopes

The scopes listed further below are intended to support the hardening of the entire ecosystem related to our JBL devices.

Be immersed in 3D surround sound with JBL’s latest soundbar launches, including the feature-packed JBL Bar 1000. A true home cinema experience without wires, the 7.1.4 channel JBL Bar 1000 uses four up-firing drivers to envelop you in a sphere of Dolby Atmos® and DTS:X 3D surround sound. The JBL Bar 300, JBL Bar 500 and JBL Bar 800 join the JBL Bar 1000 to complete the all-new JBL Bar Series.

Program Rules

We believe that no technology is perfect and that working with skilled security researchers is crucial in
identifying weaknesses in our technology.
If you believe you've found a security bug in our service, we are happy to work with you to resolve the
issue promptly and ensure you are fairly rewarded for your discovery.
Any type of denial-of-service attacks is strictly forbidden, as well as any interference with network
equipment and Harman infrastructure.

Reward Eligibility and Testing precautions

We are happy to thank everyone who submits valid reports which help us improve the security of
Harman however, only those that meet the following eligibility requirements may receive a monetary
reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below)
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively
    through yeswehack.com
  • You must send a clear textual description of the report along with steps to reproduce the issue,
    include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using
    automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Harman or one of its contractors.
    Reports about vulnerabilities are examined by our security analysts.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we
    pay. No vulnerability disclosure, including partial is allowed for the moment.

REVIEW DATE

This program was last reviewed: July 2024

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
$300$1,000$2,500$4,000
High
$200$600$1,500$2,500
Medium
$100$300$1,000$2,000
Low
$100$300$1,000$1,500

Scopes

ScopeTypeAsset value
Device: JBL Bar 300 other
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
Device: JBL Bar 500 other
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
Device: JBL Bar 700 other
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
Device: JBL Bar 800 other
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
Device: JBL Bar 1000 other
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
Device: JBL Bar 1300 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
a1ttqkupgmaxeg-ats.iot.us-east-1.amazonaws.com other
Medium
Low
$100
Medium
$300
High
$1,000
Critical
$2,000
a1ttqkupgmaxeg-ats.iot.ap-east-1.amazonaws.com other
Medium
Low
$100
Medium
$300
High
$1,000
Critical
$2,000
lsaconsumerevents2.onecloud.harman.com api
Low
Low
$100
Medium
$300
High
$1,000
Critical
$1,500
lsaconsumerevents3.onecloud.harman.com api
Low
Low
$100
Medium
$300
High
$1,000
Critical
$1,500
lsaconsumerevents1.onecloud.harman.com api
Low
Low
$100
Medium
$300
High
$1,000
Critical
$1,500
events.onecloud.harman.com api
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
ota-staging.onecloud.harman.com api
Low
Low
$100
Medium
$300
High
$1,000
Critical
$1,500
ota.onecloud.harman.com api
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
apis.onecloud.harman.com api
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
edgeapis.onecloud.harman.com api
Medium
Low
$100
Medium
$300
High
$1,000
Critical
$2,000
things.onecloud.harman.com api
Low
Low
$100
Medium
$300
High
$1,000
Critical
$1,500
JBL Authentics 200 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL Authentics 300 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL Authentics 500 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL Boombox 3 Wi-Fi other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL Charge 5 Wi-Fi other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL PartyBox Ultimate other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
https://apps.apple.com/fr/app/jbl-one/id1610239857 mobile-application-ios
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
https://play.google.com/store/apps/details?id=com.jbl.oneapp&hl=fr&gl=US mobile-application-android
High
Low
$200
Medium
$600
High
$1,500
Critical
$2,500
JBL Flip 6 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000
JBL Charge 5 other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$4,000

Out of scopes

  • Anything not explicitly listed in the Scope section is Out-Of-Scope. For example, our e-commerce websites are out of scope in this program.

Vulnerability types

Qualifying vulnerabilities

  • Vulnerabilities in software update system
  • Vulnerabilities related to bluetooth, Bluetooth LE, Wi-Fi implementation
  • Vulnerabilities related to firmware update mechanism
  • Code execution on JBL device
  • DoS of JBL devices with a USB killer included
  • Broken authentication
  • Exposed secrets, credentials or sensitive information from an asset under our control
  • Broken encryption
  • Sensitive data exposure
  • Broken cryptographic implementation with working exploit
  • Remote code execution (RCE)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Open redirect
  • Insecure direct object references
  • CORS with real security impact
  • Horizontal, vertical and local privilege escalation
  • Sensitive Information Exposure Through insecure data storage on device
  • Leaked information from Mobile (without rooting)
  • Insecure Communication
  • Insecure Authentication
  • Insecure Authorization
  • Insufficient Cryptography
  • Hardcoded secrets

Non-qualifying vulnerabilities

  • Lack of expiration on auth tokens
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Mixed content warnings
  • "HTTP Host Header" XSS
  • Clickjacking/UI redressing
  • Denial of Service (DoS) and DDoS attacks
  • Known CVEs without working PoC
  • Open ports without real security impact
  • Vulnerabilities affecting outdated browsers or platforms
  • Software version disclosure
  • Stack traces or path disclosure
  • Social engineering on employees, contractors or final users
  • Recently disclosed 0-day vulnerabilities
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Outdated libraries without a demonstrated security impact
  • Any hypothetical flaw or best practices without exploitable PoC
  • Expired certificate, best practices and other related issues for TLS/SSL certificates
  • Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password
  • change)
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory
  • listings, software versions, IP disclosure, 3rd party secrets)
  • CSV injection
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • User enumeration (email, alias, GUID, phone number)
  • Password requirements policies (length / complexity / reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed / misconfigured Google API key (including Google Maps)
  • Recently disclosed 0-day vulnerabilities (less than 90 days since patch release)
  • Password reset token leak on trusted third-party website via Referer header (eg Google Analytics,
  • Facebook…)
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Vulnerabilities requiring physical access to a user’s smartphone
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device*
  • Exploiting a generic Android or iOS vulnerability.
  • Lack of code obfuscation
  • Lack of binary protection / jailbreak and root detection / anti-debugging controls
  • Crashing your own application
  • Non important secrets (such as 3rd party secrets)
  • SSL cypher suites
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • SSL Pinning

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report
program thumbnail
 Harman International Lifestyle Products & S...
Submit report