TeamViewer - Bounty Program
The TeamViewer suite of remote connectivity, augmented reality, IT management, and customer-first engagement solutions empowers you to connect to any device to support anyone, any process, or anything — from anywhere, anytime.
Reward
Program
Hacktivity
Company
TeamViewer Germany GmbH is the market leader for remote control.
It has been installed over 2.3 billions time on any type of operating system and provides connectivity for anyone, anywhere, anytime.
Program Rules
- We strongly believe into crowd testing and responsible disclosure model. It helps the industry, it protects users and contributes making the internet a safer place.
- If you believe you've found a security vulnerability in our service, we are happy to work with you to resolve the issue promptly and ensure that you are fairly rewarded for your discovery
- Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and TeamViewer Germany GmbH infrastructure. Your work should be non-destructive and remain within a proof of concept framework.
Eligibility and Responsible Disclosure
- We are happy to thank everyone who submits valid reports which help us improve the security of TeamViewer Germany GmbH however, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below)
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of TeamViewer Germany GmbH nor one of its contractor.
- Reports about vulnerabilities are examined and validated by our security analysts.
Scope details
For now, the scope of this program is limited to the following:
TeamViewer Remote
-
TeamViewer Remote Client
- TeamViewer Remote desktop client. Available for free download here: https://www.teamviewer.com/en/products/teamviewer/
-
web.teamviewer.com
- web.teamviewer.com is the web version of the client
-
account.teamviewer.com
- account.teamviewer.com is the associated login service
-
login.teamviewer.com
- login.teamviewer.com is the management console of TeamViewer Remote
-
TeamViewer Remote Control App
- TeamViewer Remote Control App is the mobile version of the TeamViewer client. Available for Android and iOS.
-
TeamViewer QuickSupport App
- TeamViewer QuickSupport App is a mobile client only for incoming remote sessions. Available for Android and iOS.
-
Teamviewer Host App
- Teamviewer Host App is a mobile app for unattended access to a mobile device. Only available for Android.
Backend services you might directly interact with from the client app are considered part of the scope.
Reports of leaks and exposed credentials
In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
To summarize our policy, you may refer to this table :
Type of leak | Source of leak is in-scope | Source of leak belongs to TeamViewer but is out-of-scope | Source of leak does not belong to TeamViewer and is out-of-scope |
---|---|---|---|
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not eligible | Not eligible |
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program’s scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
- Exposed PII on an out-of-scope asset
Important precautions and limitations
As a complement to the Program’s rules and testing policy :
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€200 | €1,000 | €4,000 | €10,000 | |
€100 | €500 | €2,000 | €5,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://www.teamviewer.com/en/products/teamviewer/ | application | ||
Low Medium High Critical | |||
https://web.teamviewer.com | web-application | ||
Low Medium High Critical | |||
https://account.teamviewer.com | web-application | ||
Low Medium High Critical | |||
https://login.teamviewer.com | web-application | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.teamviewer.teamviewer.market.mobile&hl=en&gl=US | mobile-application-android | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.teamviewer.quicksupport.market&hl=en&gl=US | mobile-application-android | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.teamviewer.host.market&hl=en&gl=US | mobile-application-android | ||
Low Medium High Critical | |||
https://apps.apple.com/de/app/teamviewer-remote-control/id692035811 | mobile-application-ios | ||
Low Medium High Critical | |||
https://apps.apple.com/de/app/teamviewer-quicksupport/id661649585 | mobile-application-ios | ||
Low Medium High Critical |
Out of scopes
- All domains not listed In-Scope
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA, Directory Traversal)
- Code injections (HTML, JS, SQL, ...)
- Cross-Site Scripting (XSS)
- Cross-Site Requests Forgery (CSRF) with real security impact
- Open redirect
- Broken authentication & session management
- Insecure direct object references
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Exploitable/insecure cryptographic implementation in the code
- Exposed or hard-coded secrets from other clients
- Session Fixation
- Broken Access Controls
Non-qualifying vulnerabilities
- Tabnabbing
- Leaked User IDs
- Missing cookie flags
- Content/Text injections
- Mixed content warnings
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Known CVEs without working PoC
- Open ports without real security impact
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Outdated libraries without a demonstrated security impact
- Any hypothetical flaw or best practices without exploitable PoC
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- CSV injection
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full working PoC
- Blind SSRF without direct impact (e.g. DNS pingback)
- Lack of rate-limiting, brute-forcing or captcha issues
- User enumeration (email, alias, GUID, phone number)
- Password requirements policies (length / complexity / reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed / misconfigured Google API key (including Google Maps)
- Recently disclosed 0-day vulnerabilities (less than 45 days since patch release)
- Password reset token leak on trusted third-party website via Referrer header (eg Google Analytics, Facebook…)
- Task Hijacking
- Crashing your own application
- Lack of client-side protections on mobile binaries: SSL pinning/binary protection/code obfuscation/jailbreak detection/root detection/anti-debugging controls/ etc
- Lack of encryption on internal databases/preference files on mobile device
- Exploits that are only possible on Android versions that are not currently supported at the time of the emission of the vulnerability report
- Exploits that are only possible on IOS versions that are not currently supported at the time of the emission of the vulnerability report
- Exploits that are only possible on a jailbroken device
- Generic Android or iOS vulnerabilities
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
- Automated reports from Pen testing tools (Burp Suite, etc.) that have not been validated
- Reports from automated web vulnerability scanners (Acunetix, Vega, ZAP, etc.) that have not been validated
- Vulnerabilities in client versions prior to the latest version
Hunting requirements
Account access
Download and use the binary from https://www.teamviewer.com/en/products/teamviewer
For the Web Version go to: https://web.teamviewer.com
Login Service: https://account.teamviewer.com
Management Console (MCO): https://login.teamviewer.com
Android Apps: https://play.google.com/store/apps/developer?id=TeamViewer&hl=en&gl=US&pli=1
TeamViewer Remote Control
TeamViewer QuickSupport
TeamViewer Host
iOS Apps:
TeamViewer Quick Support: https://apps.apple.com/us/app/teamviewer-quicksupport/id661649585
TeamViewer Remote Control: https://apps.apple.com/us/app/teamviewer/id692035811
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.