Dailymotion’s Vulnerability Disclosure Policy
Foreword
Security is one of Dailymotion’s core values. We highly value the time and effort invested in good faith by security researchers in helping us build a more secure platform for our partners and users.
As such, we encourage the responsible disclosure of vulnerabilities related to Dailymotion’s products, websites and APIs. This Policy sets out the rules under which we expect the research and reporting of vulnerabilities to be conducted, as well as what you can expect from us in return.
If you are a security researcher, a user or a partner, and have discovered a security vulnerability in our platform, we appreciate your help in disclosing it to us in a responsible manner.
Communication
If you would like to report a security issue, you may do so using any of the following channels:
- - Our public bugbounty program on YesWeHack; please make sure you review the program rules and perimeter before submitting in order to know if your submission is eligible for a reward.
- - An email addressed to security@dailymotion.com, if you are not interested in a reward or if your issue is not in our program’s scope.
If you think you’ve found a vulnerability, please do not publicly disclose these details outside of this process without explicit permission. Please do your best to include with your report the following details and be as descriptive as possible:
- - Vulnerability Location & Type - The exact location (vulnerable URLs and parameters, if possible fully qualified domain name _and_ IP address of the endpoint) and the nature of the vulnerability;
- - Steps to Reproduce - A detailed description of the steps required to reproduce the vulnerability (screenshots, compressed screen recordings, and proof-of-concept scripts are all helpful);
- - Attack Scenario - A relevant example attack scenario explaining the prerequisites to the attack, and its exact impact in a realistic context.
Ground rules
In order to avoid any confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing and reporting vulnerabilities:
- - Take all reasonable measures to only interact with test accounts you have created on the platform;
- - Do not use physical attacks on our security, social engineering, distributed denial of service, spam or applications of third parties;
- - If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst case scenario;
- - Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
- - Report any vulnerability you’ve discovered promptly (i.e. within days, not weeks);
- - Only use the specified communication channels listed below to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible (see Section 8 below for further information);
- - Do not disclose vulnerabilities you've discovered publicly or to any third-party until we have formally authorized you to do so in writing;
- - Obviously, do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.
Expectations
When working with us according to this Policy, you can expect us to:
- - Work to remedy discovered vulnerabilities in a timely manner;
- - Handle your report with confidentiality and respect written requests for anonymity.
Legal Matters
When conducting vulnerability research in good faith and in accordance with the terms specified in this Policy, we consider this research to be:
- - Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.
We won’t take legal action against, suspend, or terminate access to our platform for those who discover and report security vulnerabilities responsibly. Dailymotion reserves all of its legal rights in the event of any noncompliance.
If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report through one of our above mentioned communication channels before going any further.
Last updated: January 1, 2022