Powered by: Allows bounty splitting:
Average time to first program response: 10
Average time to bounty awarded null: 574
Average time to report resolved: 5379
Handle vimeo
Managed program: true
Name: Vimeo
Offers bounties: true
Offers swag: false
Response efficiency percentage: 90
Submission state: open
Url: https://hackerone.com/vimeo
Website: https://vimeo.com
In scope: Asset identifier: *.cloud.vimeo.comAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Upload endpoints such as \ *.cloud.vimeo.comIntegrity requirements: mediumMax severity: criticalAsset identifier: *.livestream.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: *.magisto.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: **EXCEPTION** - Subdomains owned/controlled/managed/etc by a 3rd party.Integrity requirements: Max severity: criticalAsset identifier: *.new.livestream.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: *.vhx.tvAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: **EXCEPT for community.vhx.tv, 3rd party sites and EXCEPT a single-customer configured site**
The vulnerability must affect every site in order to be valid.Integrity requirements: Max severity: criticalAsset identifier: *.vimeo.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: See scope/program for more definitive information. Does not include 3rd parties under vimeo.com domain names. Subject to realization we missed one.Integrity requirements: Max severity: criticalAsset identifier: 1491791513Asset type: APPLE_STORE_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: 425194759Asset type: APPLE_STORE_APP_IDAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: mediumMax severity: criticalAsset identifier: 486781045Asset type: APPLE_STORE_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: 493086499Asset type: APPLE_STORE_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: Livestream software (Producer, Studio)Asset type: OTHERAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Out of scope: any attacks of the install process, that require additional configuration files, dll, etc that are put onto the machine via virus, malware, confidence, etc.Integrity requirements: Max severity: criticalAsset identifier: VHX Branded Customer Android AppsAsset type: OTHERAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: **Vulnerabilities must affect ANY/ALL VHX branded Android apps and not just a single VHX customer app**Integrity requirements: Max severity: criticalAsset identifier: VHX Branded Customer Roku AppsAsset type: OTHERAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: **Vulnerabilities must affect ANY/ALL VHX branded Roku apps and not just a single VHX customer app**Integrity requirements: Max severity: criticalAsset identifier: VHX Branded Customer iOS AppsAsset type: OTHERAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: **Vulnerabilities must affect ANY/ALL VHX branded iOS apps and not just a single VHX customer app**Integrity requirements: Max severity: criticalAsset identifier: api.vhx.tvAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: api.vimeo.comAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: mediumMax severity: criticalAsset identifier: applause1.magisto.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: channelstore.roku.com/details/48061/vhxAsset type: OTHERAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Roku AppIntegrity requirements: Max severity: criticalAsset identifier: checkout.vimeo.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: This is an S3 bucket behind a CDN. We will be responsible for things WE can control about this (Content, S3 permissions, CDN headers, etc). For items beyond our control, those are not in scope.Integrity requirements: Max severity: criticalAsset identifier: com.livestream.livestreamAsset type: GOOGLE_PLAY_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: com.magistoAsset type: GOOGLE_PLAY_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: com.vimeo.android.videoappAsset type: GOOGLE_PLAY_APP_IDAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: mediumMax severity: criticalAsset identifier: com.vimeocreate.videoeditor.moviemakerAsset type: GOOGLE_PLAY_APP_IDAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: donations.livestream.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: embed.vhx.tvAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: magisto.com,www.magisto.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: player.vimeo.comAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: mediumMax severity: criticalAsset identifier: staging.magisto.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: vhx.tvAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: The VHX homepage at vhx.tv redirects to a login page at ott.vimeo.com. Please submit these reports to the VHX program.Integrity requirements: Max severity: criticalAsset identifier: vimeo.com/apiAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Legacy API endpoints such as vimeo.com/apiIntegrity requirements: mediumMax severity: criticalAsset identifier: vimeo.com/createAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: vimeo.com/ondemandAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Vimeo On Demand hosted sites: https://vimeo.com/ondemandIntegrity requirements: Max severity: criticalAsset identifier: vimeo.magisto.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Only as it integrates with Vimeo. For anything about it itself, please report on the Magisto programIntegrity requirements: Max severity: criticalAsset identifier: vimeopro.comAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Vimeo Pro portfolios hosted on vimeopro.comIntegrity requirements: mediumMax severity: criticalAsset identifier: www.livestream.comAsset type: URLAvailability requirement: Confidentiality requirement: Eligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: Max severity: criticalAsset identifier: www.vimeo.comAsset type: URLAvailability requirement: mediumConfidentiality requirement: mediumEligible for bounty: trueEligible for submissions: trueInstruction: Integrity requirements: mediumMax severity: critical
