Palo Alto Networks Bug Bounty Scope

The Palo Alto Networks Product Security and Incident Response Team (PSIRT) is responsible for coordination of security vulnerability reports related to Palo Alto Networks products and also for orchestrating mitigation of security vulnerabilities in our product. We are a CVE Numbering Authority (CNA) and we cover all Palo Alto Networks products. Please see our Product Security Assurance and Vulnerability Disclosure Policy for more details.

Reporting a vulnerability

We provide two ways to report security vulnerabilities in Palo alto Networks products:

• Using the vulnerability report form at https://security.paloaltonetworks.com/report
• Via email to
  psirt@paloaltonetworks.com. You can optionally encrypt your email using our PGP key (fingerprint: "94D5 EF3A 3E70 FA6B FDD1 86FA 6C62 AA9A 94CE 1643").

Please submit your report to one of the above, ensuring you provide:

• clear and concise details of the vulnerability,
• steps to reproduce the vulnerability, and
• any proof-of-concept code or artifacts you used to discover the vulnerability.

We also encourage you to submit:

• screenshots or videos of the behavior you observe,
• tech support files (TSFs) via support cases,
• logs, and
• other data that you think would be beneficial in our investigation.

If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward.

Rewards

The amount awarded will depend on a number of factors (primarily aspects around the ultimate impact), so we are unable to preemptively share specific reward amounts. With that said, high quality reports with reliable, fully automated proof of concept code will earn higher bug bounty rewards.

Program Scope

To be eligible for a bounty, you can report a security vulnerability in a Palo Alto Networks product.

Any reports for Palo Alto Networks websites unrelated to product functionality are out of scope. Please report issues related to these websites at https://paloaltonetworks.responsibledisclosure.com.

The following types of issues are out of scope for this bug bounty program:

1. Security feature bypasses (aka: false negatives), where no existing signature or existing feature detects a specific instance of an attack.
2. Open source software CVEs/3rd party dependency vulnerabilities reported by scanners without demonstrated proof of exploitability.
   1. We offer support for such reports for our customers on a case-by-case basis, but they are not eligible for bounty without proof of exploitability.
   2. Please see the links below for OSS version information:
      1. https://security.paloaltonetworks.com
      2. https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings
      3. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-OSS-Listings/Cortex-XDR-OSS-Listings
      4. https://docs.paloaltonetworks.com/oss-listings/globalprotect-app-oss-listings
3. Software bugs with no security impact (as determined by section 4.1 of the CVE Numbering Authority (CNA) Operational Rules). Such bugs should be submitted to https://support.paloaltonetworks.com.
4. Theoretical vulnerabilities that require unlikely user interaction or circumstances. For example:
   1. Vulnerabilities only affecting users of unsupported or end-of-life browsers or operating systems
   2. Broken link hijacking
   3. Tabnabbing
   4. Content spoofing and text injection issues
   5. Self-exploitation, such as self-XSS or self-DoS (unless it can be used to attack a different account)
5. Theoretical vulnerabilities that do not demonstrate real-world security impact. For example:
   1. Weak ciphers or TLS configurations
   2. Clickjacking on pages with no sensitive actions
   3. Cross-Site Request Forgery (CSRF) on forms with no sensitive actions (e.g., logout)
   4. Permissive CORS configurations without demonstrated security impact
   5. Information disclosure that does not lead to a tangible security impact. Examples include:
      1. Software version disclosure
      2. Banner identification issues
      3. Verbose error messages (e.g., stack traces, application, or server errors)
      4. Sensitive header information
      5. Password hash disclosure (unless the password hashing algorithm is demonstrably weak and can lead to practical attacks, such as MD5 collisions)
   6. Open redirects (unless you can demonstrate a security impact)
6. Optional security hardening steps / missing best practices. For example:
   1. SSL/TLS configurations
   2. Missing cookie flags (e.g. HttpOnly, Secure, etc.)
   3. Content-Security-Policy configuration opinions
7. Vulnerabilities that may require hazardous testing. This type of testing must never be attempted unless explicitly authorized:
   1. Issues relating to excessive traffic/requests (e.g., DoS, DDoS)
   2. Social engineering attacks (e.g., phishing, opening support requests)
   3. Attacks that are noisy to users or admins (e.g., spamming notifications or forms)

Test Plan

• Palo Alto Networks does not provide any environments to test our products.
• Palo Alto Networks does not provide any hardware to test our products.
• Please obtain our products through legal means before performing any security testing.
• If you are testing our Software-as-a-Service (SaaS) products, ensure that you are testing on a tenant you own or are authorized to test. Do not test on production environments.

Program Terms and Conditions

To be eligible for a reward under this program, you must agree to all of the following terms.

Palo Alto Networks in this agreement represents Palo Alto Networks Inc., and its subsidiaries.

• Participants must be legally permitted to receive bug bounty awards.
• You have not been employed or contracted by Palo Alto Networks within 6 months prior to submitting a report and are not an immediate family member of any Palo Alto Networks employees or contractors (e.g., spouse, domestic partner, child, parent, sibling, etc.).
• You have not had improper access to proprietary source code or the impacted product(s) at any point in time.
• You will coordinate and cooperate with Palo Alto Networks to responsibly and timely disclose or publish any information about the report.
• For product security concerns, you must not disclose it to anyone other than Palo Alto Networks until after Palo Alto Networks has released a software update and published a security advisory for the reported security vulnerability.
• You agree to test the effectiveness of the Palo Alto Networks solution to remediate issues submitted in the report.
• You have not intentionally accessed any personally identifiable information or data while conducting this research.
• You have made all reasonable good faith efforts to avoid privacy violations and have taken no steps to endanger the data or security of others.
• You have acted in good faith and avoided any malicious or unethical behavior, such as intentionally exploiting vulnerabilities or misleading Palo Alto Networks.
• You have avoided any action that could negatively impact the confidentiality, integrity, or availability of information and systems of either Palo Alto Networks, its business partners, or its customers.
• You have not broken any laws or regulations while conducting this research.
• You agree to appropriately disclose to all relevant parties any potential conflicts of interest associated with your submission and the receipt of bounty awards.
• You are not on any sanctions lists, including those put out by OFAC, the European Union, or any other jurisdiction, and are not employed or affiliated with any organization on the sanctions list at https://sanctionssearch.ofac.treas.gov/.
• You are not a citizen or resident of and are not submitting the report from a country subject to U.S. or European Union sanctions, embargoes, or trade restrictions (e.g., Iran, North Korea, Cuba, and Syria; the Crimea, Donetsk, and Luhansk regions of Ukraine, etc.); see https://ofac.treasury.gov/sanctions-programs-and-country-information.
• You must comply with all applicable laws (including directives, regulations, and ordinances), including those of the country or region in which you reside or in which you download or use Palo Alto Network products and services.
• The security impact of the report, its written quality, and the timeliness of response and cooperation with the reporter, CVSSv4 severity, prevalence of the product, feature, or configuration, as well as prior collaboration in good standing are some of many factors used to determine the bug bounty award.
• The decision to award an eligible bug bounty reporter and the amount awarded to them is at the exclusive discretion of Palo Alto Networks. A bug bounty award is not compensation for time and effort spent on research or discovery. Any awards not accepted within one year, or waived, shall become ineligible for issuance.
• It is within Palo Alto Networks' rights to make changes to the eligibility criteria and this bug bounty program (including its termination) at any time for any reason and without prior notice.
• If at any point, while testing and researching Palo Alto Networks products, you are unsure if the terms of this agreement are being violated, immediately stop testing and send a message to Palo Alto Networks PSIRT (
  psirt@paloaltonetworks.com).
• Any recipient determined to be ineligible by our award payment platform vendor is also not eligible for receiving bug bounty awards from Palo Alto Networks.
• A violation of any of these terms and conditions will make the participant ineligible for participation in this bounty program. Any violation of these terms, unprofessional behavior, harassment, including sending threatening or unlawful messages to Palo Alto Networks may be reported to other bug bounty programs and platforms and law enforcement entities.
• You are responsible for the payment of all applicable taxes.