A spokesperson for FireEye said: “While we’ve been heavily involved with responsible disclosure, including helping other companies set up and modify their own programs, we are taking the next step in this effort.”
Over the coming months, researchers will be invited to seek out weaknesses in FireEye’s products, services, business applications, and infrastructure security. Cash rewards ranging from $50 to $2,500 will be offered per vulnerability detected.
Vulnerabilities submitted as part of the program will typically be accepted or rejected within 5 days.
A spokesperson for the company said: “As security researchers ourselves, FireEye understands the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our products and services, there will always be emerging threats, new vulnerabilities, and opportunities to improve.
“To that end, FireEye believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture.”
Threats are split into four different levels of technical severity ranging from low to critical. The program will use the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization/rating of findings.
Website testing targets listed in the scope include fireeye.com, fireeye.market, fireeye.dev, mandiant.com, flare-on.com, and cloudvisory.com. Third-party products that may be used by FireEye as well as FireEye systems or products in AWS GovCloud are not within the scope.
Bug bounty hunters have been warned by the company not to perform research on FireEye products licensed, owned, or operated by a FireEye customer without their express permission.
Researchers who prefer not to receive payment for their work, or who wish to report product- or services-related findings, can do so via the FireEye Responsible Disclosure program that is also managed by Bugcrowd.