CenturyLink Public Cloud Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Only Domains under ctl.io are allowed as CenturyLink proper does not currently have a BugBounty program. Any reports regarding CenturyLink, Level3, or any other business units of CenturyLink should not be reported to this program.

Testing Requirements:

All vulnerabilities should be verified and not results of an automated tool. Automated tools should also be avoided so that a denial of service isn't created against our services. We are not interested in reports about

* Software version disclosure
* Attempts to physically access our offices or data centers
* Social engineering attempts on our staff or experts including phishing emails
* Vulnerabilities in a vendor we integrate with
* Email infrastructure, particularly our use of (or lack of) SPF, DKIM and DMARC.
* Use of automated tools that could generate significant traffic and possibly impair the functioning of our application
* Vulnerabilities that cannot be reproduced

We are interested in

* Cross-Site-Scripting (XSS)
* Cross-Site Request Forgery (CSRF)
* Clickjacking
* Open forwards / Open redirects
* Datastore/SQL Injection
* Remote Code Execution
* Directory Traversal
* Content Spoofing
* Denial of Service not relating to a distributed attack

Please provide a detailed description and steps to reproduce your finding.

Possible Awards:

We can offer recognition and in the most critical cases, offer some level of free credits towards a CenturyLink Public Cloud account. You should already have an account created or be able to create an account so that we can apply the credits properly. Credits are not a guaranteed reward.

Special Notes:

Everyone is eligible for $500 in free trial credits initially. See https://www.ctl.io/knowledge-base/general/centurylinkcloud/free-trial-faq/ for details. If you disclose NEW findings we may be able to credit your account accordingly.

All accounts must be verifiable and not used for any fraudulent activity. Account holders must also remain in compliance with our Acceptable Use Policy. While testing against one's own account may be necessary, attempting to access any account that is not yours is a violation of our AUP. If you discover a vulnerability that would give you access to another account or data for another account. Please stop testing and notify us immediately so that we can validate and remediate the findings.

Other Submissions Handling