avatar
Bug bounty
Public

OVH

OVH is an Internet Service Provider providing dedicated servers, shared and cloud hosting, domain registration, and VOIP telephony services.

Reward

Bounty
Gift
Hall of fame
€100
Low
€100
Medium
€300
High
€1,000
Critical
€10,000

Program

Avg reward
-
Max reward
€10,250
Scopes
3

Supported languages
French
English

Hacktivity

Reports
1332
1st response
< 3 days
Reports last 24h
1
Reports last week
3
Reports this month
4

While we are doing our best to keep OVH services as safe as possible, we know that some bugs can slip trough our scrutiny.

If you believe you've found a security issue in the services listed in our scope, we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.

Scope

Out of scope security bugs are currently not eligible for monetary rewards and will be handled as a responsible disclosure. We will do our best to give you vouchers or some "cool gifts" if your report provokes changes in our side.

Rewards

OVH may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.

OVH keeps the right to decide if the minimum severity threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of OVH. To qualify for a reward under this program, you should respect all the below criterias.

Eligibility and Responsible Disclosure

We are happy to work with everyone who submits valid reports which help us improve the security of OVH.

However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You need to be the first person to report an unknown issue

  • Any vulnerability found must be reported no later than 24 hours after discovery.

  • You are not allowed to disclose details about the vulnerability anywhere else.

  • You must avoid tests that could cause degradation or interruption of our service.

  • You must not leak, manipulate, or destroy any user data.

  • You are only allowed to test against accounts you own yourself.

  • The use of automated tools or scripted testing is not allowed

  • You must not be a former or current OVH employee.

  • Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.

  • Disclose the vulnerability report exclusively through yeswehack.

We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us at least every five working days.

Note that posting details or conversations about the report or posting details that reflect negatively on the program and the OVH brand, will result in immediate disqualification from the program.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Low
€100€300€1,000€10,000

Scopes

ScopeTypeAsset value
api.ovh.com web-application
Low
Low
€100
Medium
€300
High
€1,000
Critical
€10,000
www.ovh.com/manager web-application
Low
Low
€100
Medium
€300
High
€1,000
Critical
€10,000
www.ovh.com web-application
Low
Low
€100
Medium
€300
High
€1,000
Critical
€10,000

Out of scopes

  • Vulnerabilities reported on other services or applications are not allowed.
  • Vulnerabilities reported on client services
  • *.osp.ovh.com

Vulnerability types

Qualifying vulnerabilities

  • Vulnerabilities with a real security impact

Non-qualifying vulnerabilities

  • "Self" XSS
  • Account enumeration
  • Missing HTTP Headers
  • SSL/TLS best practices
  • Denial of Service and brute forcing attacks
  • Physical attacks against offices and data centers
  • Social engineering of our service desk, employees or contractors
  • Compromise of a OVH users or employees accounts
  • Use of a tool that generates a significant volume of traffic
  • Any hypothetical flaw or best practices without exploitable POC
  • Session timeout
  • Click-jacking
  • Rate-limiting
  • DKIM/SPF/DMARC issues

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.