Barracuda Networks Security Bug Bounty Program

Q) What products are in scope?

A) The following security products by Barracuda Networks:

Other Barracuda Networks products are not currently in scope. The scope for now is limited to the Appliance form factor of each product listed above, and not any related service or SaaS version. Only the most recent generally available version of each product qualifies.

Q) Do you have test boxes I can use?

A) We encourage researchers to secure and test using their own physical appliances. However, for those who do not have their own appliances, we have made several virtual appliances for some of the products available for common use. These are the only systems authorized for use under the bounty program. Research on other systems will be excluded from receiving compensation under the program. Barracuda Networks makes no representation regarding the availability or state of these virtual appliances and reserves the right to update, change, or remove them at its sole discretion.

Q) What classes of bug are in scope?

A) The following bugs and attack types are excluded:

Use of automated testing tools; social engineering; denial of service; physical attacks; attacks against Barracuda Networks’ customers; attacks against Barracuda Networks’ corporate infrastructure or demo servers.

Bug types that are in scope include those that compromise confidentiality, availability, integrity or authentication. For example: remote exploits, privilege escalation, persistent cross site scripting, code execution, command injection.

Q) How do I report a vulnerability?

A) Please report vulnerabilities via email to BugBounty@barracuda.com with the following PGP key at www.barracudalabs.com/bugbountypgp.txt.

Q) How soon should I expect a response?

A) Please allow 3-5 business days from your submission for us to reproduce your report and analyzed it's severity.

Q) What is the bounty?

A) The bounty starts at $50 for qualifying bugs, and will only be awarded if all terms of the program are satisfied including the confidentiality restriction. The Barracuda review panel may reward up to $3,133.7 for particularly severe bugs. You may opt to donate your bounty to a charity. Additionally, we will credit your work as a bug/vulnerability reporter if you desire. Only the first report of a bug qualifies. (Why $3,133.7? The number pays homage to “eleet”. This is used by some in the security community as slang for elite and is sometimes referred to as 31337.)

Bug Bounty payments will be made by wire transfer or check, in US$ only.

Q) What is the disclosure requirement?

A) To qualify for the bug bounty, the bug must be disclosed to only Barracuda Networks. Once the issue is fixed, you will be able to publicly disclose the issue.

Q) Do you have a Hall of Fame like other vendors do?

A) Researchers who responsibly report confirmed issues to us are recognized here.

Q) And now a message from our legal team…

A) This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. Barracuda Networks strictly complies with US export laws and regulations. Persons and entities in countries embargoed by the US government or denied from accessing US technology are prohibited from accessing Barracuda Networks systems and participating in this program We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. The decision of Barracuda Networks is final and non-appealable. This offer is void where prohibited by law and in participating, you must not violate any law. You also must not disrupt any service or compromise anyone’s data.

Thank you for your interest in the Barracuda Security Bug Bounty Program and for helping Barracuda Networks make our products more secure.