Corporate Responsibility

Responsible Disclosure Program

The information on this page is intended for security researchers interested in responsibly reporting security vulnerabilities to the CBRE security team.

CBRE earned its position as the world’s leading commercial real estate services and investment firm by doing business according to the highest standards and living out our values of Respect, Integrity, Service and Excellence. These values permeate all aspects of our business, including our efforts to protect the privacy and security of our employees, clients, investors, suppliers and others. We invite you to help us bolster our ongoing efforts to safeguard our systems and data by reporting any vulnerabilities you may find through our Responsible Disclosure Program.

Responsible Disclosure

We are excited to work with HackerOne and the hacker community to help keep CBRE’s systems and data safe. If you believe you have identified a potential security vulnerability, please share it with us following the guidelines below.

Please note CBRE’s public vulnerability disclosure program does not offer a reward or compensation for sharing potential security vulnerabilities. We do, however, have a private bug bounty program with a limited scope.

Guidelines

  • Do not engage in any actions that could negatively impact the user experience on our websites or applications for CBRE clients/customers.
  • Do not take any actions that could potentially or literally cause harm to our clients or employees.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  • Do not store, share, compromise or destroy any CBRE or client data. If non-public information is encountered, you should immediately cease all activity, purge the data from your system and contact CBRE. This serves to protect both CBRE and you.
  • Provide CBRE a reasonable time frame for fixing or remediating any issue prior to public disclosure.

Safe Harbor

Any submissions made in a manner consistent with these guidelines will be considered authorized conduct and CBRE will not initiate legal action against you. If legal action is initiated by a third-party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

CBRE commits to responding to all submissions within two business days. We will do our best to keep you apprised of the status of all your submissions.

Reporting Criteria

For all submissions, please include the following:

  • Steps to reproduce the vulnerability (screen captures are welcome)
  • Targets
  • Tools used

Valuable Vulnerabilities

  • Remote Code Execution
  • SQL Injection
  • Privilege Escalation to Admin Level
  • XML Injection
  • Insecure Direct Object Reference

Sample Valuable Vulnerability Report

Authentication bypass was found on a mobile-to-web application. Access to certain functions was disabled by client-side JavaScript. By removing the necessary variables, a user can use features that were previously restricted.

Out-of-Scope Vulnerabilities

The following vulnerabilities are considered out of scope for CBRE’s Responsible Disclosure Program:

  • Physical testing, including IOT and IIOT devices, BMS and HVAC environments
  • Social engineering
  • Phishing our employees or clients
  • Denial of service attacks
  • Resource exhaustion attacks

Reporting

To file a report, please visit https://hackerone.com/cbre and click the “Contact Security Team” button at the top of the page.