avatar
Bug bounty
Public

HARMAN International - Web Applications

HARMAN designs and engineers c​onnected products and solutions for automakers, consumers, and enterprises worldwide, including connected car systems, audio and visual products, enterprise automat​ion solutions; and connected services. Our talented workforce and innovation strength create value for our stakeholders by enabli​ng rich experiences through the connected car, connected enterprise and connected lifestyle. Audi​​ophiles from every generation call on HARMAN to deliver the best in sound in the studio and on the stage, at home and on the go. HARMAN’s portfolio of legendary audio brands includes AKG®, Harman Kardon®, Infinity®, JBL®, Lexicon®, Mark Levinson®and Revel®. More than 50 million vehicles on the road today enjoy an enhanced driving experience, thanks to HARMAN audio and infotainment. We extend the same spirit of innovation to the world’s leading performance and sporting venues, providing everyone with the best seats in the house. Seizing the rich opportunities of today’s global markets requires more than legendary sound. HARMAN has reshaped our organization and cost structure to make the Company more agile in a changing world and addressed the rising importance of highly integrated, software-rich products and services. Most importantly, our track record of innovation, which has distinguished HARMAN and its premium audio and infotainment brands for more than 60 years, continues.

Reward

Bounty
Hall of fame
$100
Low
$200
Medium
$500
High
$2,000
Critical
$4,000

Program

Avg reward
-
Max reward
$4,000
Scopes
13

Supported languages
English
Hindi
German

Hacktivity

Reports
340
1st response
< 1 day
Reports last 24h
7
Reports last week
29
Reports this month
179

OVERVIEW

Keeping user information safe and secure is a top priority and a core company value for us at Harman (“We”, “Us” or “Harman”). We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Harman customers. In addition to the YesWeHack General Terms of Use for “Hunter” and any other applicable YesWeHack terms and conditions, these Bug Bounty Program Terms and Conditions (“Program Terms”) govern the participation of any Hunter (“You”, or “Hunter”) in the Harman Bug Bounty Program. In the event of a conflict between these Program Terms and any other agreement or terms, these Program Terms shall control.

REWARDS

Harman provides rewards to vulnerability reporters at its discretion. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition.

These values are indicative and we reserve the right to determine amount or even whether a reward should be granted. We typically reward lower amounts for vulnerabilities that require significant user interaction. We also might pay higher rewards for clever or severe vulnerabilities.

Our team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code based and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative

ELIGIBILITY AND TESTING PRECAUTIONS

By undertaking research on Harman systems under these Program Terms, you attest that you are eligible to receive a reward from Harman. In addition to the requirements of eligibility set forth in the Yes We Hack General Terms of Use for “Hunter,” you understand that you will not be in compliance with these Program Terms, and will not be eligible for an award if you are:

  1. A Harman employee or family member of a Harman employee;
  2. Under the age of majority in your country of residence;
  3. a citizen or resident of a country in which use or participation is prohibited by law, decree, regulation, treaty or administrative act;
  4. a citizen or resident of, or located in, a country or region that is subject to U.S. or other sovereign country sanctions or embargoes; or
  5. an individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals or Blocked Persons Lists, or the Department of State’s Debarred Parties List or otherwise ineligible to receive items subject to U.S. export control laws and regulations, or other economic sanction rules of any sovereign nation.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

• Share the security issue with us in detail;

• Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope;

• Do not make any attempts to knowingly access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;

• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local copies of the information upon reporting the vulnerability to Harman;

• Act in good faith to avoid any activities that may lead to privacy violations (for e.g., inappropriate access to data belonging to another user without their consent or awareness), destruction of data, and interruption or degradation of our services (including denial of service);

• Otherwise comply with all applicable laws.

We only reward the first reporter of a vulnerability. Public disclosure of any vulnerability is not allowed except with the express consent of Harman International. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior. This includes using duress or threats (e.g., threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public) in an attempt to negotiate with us, which will not be allowed.

NOTES ON SSRF SUBMISSIONS

Before submitting an SSRF report, please ensure that the response you're receiving is neither:

  • reset
  • HTTP/1.1 403 Forbidden

Either of these responses usually indicates that your request was blocked and is not a valid SSRF.

NOTES ON THE SCOPE

Any subdomain which matches any of the given scopes is also considered in scope (example: cart.jbl.com.br is a valid subdomain of the given entry www.jbl.com.br).

COMPLIANCE WITH THESE PROGRAM TERMS

We consider activities conducted in a manner consistent with these Program Terms to constitute “authorized” conduct under the United States Computer Fraud and Abuse Act, United States Digital Millennium Copyright Act, and any similar laws or regulations in other jurisdictions. We will not pursue civil action or otherwise initiate a complaint or claim against you for circumventing the technological measures we have used to protect the applications in scope, so long as your activities are conducted in a manner consistent with these Program Terms.

We consider any activities conducted in a manner inconsistent with these Program Terms to be “unauthorized” conduct under the United States Computer Fraud and Abuse Act, and any similar laws or regulations in other jurisdictions. We reserve the right to take legal action against you for any such unauthorized conduct.

If your report addresses a vulnerability of a Harman business partner, Harman reserves the right to share your submission in its entirety, including your identity, with the business partner to help facilitate testing and resolution of the reported vulnerability. If legal action is initiated by a third party against you and you have complied with Harman’s Program Terms, Harman will take steps to make it known that your actions were conducted in compliance with these Program Terms.

If at any time you have concerns or are uncertain whether your security research is consistent with these Program Terms, or believe that these Program Terms do not address you security research, please inquire via www.yeswehack.com/contact/hunter-form before going any further.

GOVERNING LAW AND DISPUTE RESOLUTION

These Program Terms shall be subject to the internal laws of the State of New York, USA and are binding upon the parties hereto in the United States and worldwide. You and Harman agree that any claims between You and Harman, including claims against you for unauthorized conduct shall be subject shall be subject to the jurisdiction of courts in the city of New York City, New York.

THE FINE PRINT

You are responsible for paying any taxes associated with rewards. We may modify these Program Terms or terminate this program at any time. We won’t apply any changes we make to these Program Terms retroactively.

REVIEW DATE

This program was last updated: July 2024


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
$200$500$2,000$4,000
High
$150$400$1,500$2,500
Medium
$100$300$1,000$2,000
Low
$100$200$800$1,500

Scopes

ScopeTypeAsset value
*.jbl.com web-application
Critical
Low
$200
Medium
$500
High
$2,000
Critical
$4,000
*.harmanaudio.com web-application
High
Low
$150
Medium
$400
High
$1,500
Critical
$2,500
*.harmankardon.com web-application
High
Low
$150
Medium
$400
High
$1,500
Critical
$2,500
*.infinitylab.com web-application
Medium
Low
$100
Medium
$300
High
$1,000
Critical
$2,000
*.support.jbl.com web-application
Medium
Low
$100
Medium
$300
High
$1,000
Critical
$2,000
*.jbl.nl web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.jbl.ru web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.uk.jbl.com web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.uk.harmanaudio.com web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.de.jbl.com web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.in.jbl.com web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.jp.jbl.com web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500
*.jbl.com.br web-application
Low
Low
$100
Medium
$200
High
$800
Critical
$1,500

Out of scopes

  • Anything apart from valid subdomains or otherwise explicitly listed entries in the Scope section is Out-Of-Scope.

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Cross-Site Scripting (XSS)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Open redirect
  • Broken authentication & session management
  • Exposed secrets, credentials or sensitive information from an asset under our control
  • Insecure direct object references
  • CORS with real security impact
  • Horizontal and vertical privilege escalation

Non-qualifying vulnerabilities

  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Our policies on presence/absence of SPF/DMARC records.
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
  • Attacks requiring physical access to a user's device.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Host header injections unless you can show how they can lead to stealing user data.
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports from automated tools or scans.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Social engineering of Harman employees or contractors.
  • Any physical attempts against Harman property or data centers.
  • Presence of autocomplete attribute on web forms.
  • Missing cookie flags on non-sensitive cookies.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  • User enumeration
  • Any access to data where the targeted user needs to be operating a rooted mobile device.
  • Any report on bypassing our storage limits etc. is out of scope.
  • Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope.
  • Content spoofing vulnerabilities
  • Ability to share links without verifying email.
  • Absence of rate limiting, unless related to authentication.
  • Reflected File Download vulnerabilities or any vulnerabilities that let you start a download to the user's computer are out of scope.
  • Devices (IOS, Android, desktop apps) not getting unlinked on password change.
  • Hyperlink injection or any link injection in emails we send.
  • Phishing risk via unicode/punycode or RTLO issues.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.