Responsible Disclosure Policy

At AOL, we consider the security of our systems — and our users — a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. Submit your findings by using our Responsible Disclosure Form hosted by HackerOne.

What we ask of you

If you believe you have discovered a security vulnerability in an AOL service, please do the following:

• Submit your findings by using our Responsible Disclosure Form hosted by HackerOne.
• Do not take advantage of the vulnerability or problem you have discovered. In particular, you must not access, download, exfiltrate, modify or access data beyond what is strictly necessary to demonstrate the vulnerability.
• You must not access or attempt to access accounts belonging to other users under any circumstances. Testing must be performed exclusively on accounts that you own.
• If the vulnerability involves personal data, you must not access or process such data, except to the extent strictly necessary to report the issue. You must not store, copy, or share any such data. This is critically important, so let us emphasize it: do not interact with the data in question more than is necessary to notify us.
• Do not reveal the problem to others until it has been resolved.
• Do not use attacks on physical security, social engineering, distributed denial of service (or any attack using large volumes of requests), spam, or applications of third parties.
• Please provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

Ideally, a reported vulnerability will be achievable without physical access to a target’s device.

In addition, while we welcome disclosure reports from automated tools/scans, we cannot offer a reward.

What we promise

• We thank you for your help in making AOL more secure.
• We will respond to an accepted report within 5 business days with our evaluation of the report.
• As long as you act in good faith, comply with this policy, and applicable laws, we will not take any legal action against you in regard to the report or pass on your personal details to third parties without your permission.
• We will keep you informed of the progress towards resolving the problem.
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

Recognition and remuneration

For accepted reports we may provide a financial reward. This reward will be based on the quality of the disclosure and nature of the vulnerability. Rewards are granted entirely at our discretion, and may be reduced or declined if there is evidence of abuse. Automated scans are not eligible for rewards.

Questions

If you have any questions regarding this Responsible Disclosure Policy, get in touch by sending an e-mail to security@teamaol.com.