AT&T is always working to improve the security of our products. You, the AT&T Cybersecurity community, aid our ability to deliver secure software for our customers by informing us of security issues — so thank you!
Have you discovered a security vulnerability? Disclose it to us through the AT&T Bug Bounty Program managed by HackerOne. You can find detailed information of program guidelines, program exclusions, program terms and conditions, reporting process, and awarding process on this page.
What Vulnerability Information Are We Looking For?
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue, and include the following where appropriate:
- Provide steps and any additional information we may need to reproduce the issue.
- If you are reporting cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows the user's authentication cookie.
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged-in victim to perform an action.
- For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
- HTTP request / response captures or simply packet captures are also very useful to us.
Please refrain from sending us links to non-AT&T Cybersecurity websites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user ("self-XSS").
Note: We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you report them individually.
Feedback