Abacus Research
Bounty Range
$62 - $6,200
external program
Abacus Research
Abacus is an owner-managed Swiss software company. The company has been successfully developing business management ERP software for over 35 years - in the areas of finance, human resources, administration and sales, and production and services, among others. Abacus is now the largest and most successful independent Swiss provider of business software for SMEs. The primary goal of the software company is still to develop relevant solutions for its customers.
The organisation operates various services (platforms, services). But only services from explicitly listed domains / URLs are in the scope of the program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.
By participating in this program, security researchers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the test and to delete any local copies afterwards and not to distribute them further.
In participating in the program, security researchers agree not to use methods that would adversely affect the tested applications or their users. These include:
In addition to the prohibited hacking methods listed above, security researchers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.
Any design or implementation problem can be reported that is reproducible and affects security.
Typical examples:
Other examples:
The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:
Abacus-ERP
The abacus software can be launched via a client software or directly in the browser. Those are called different environments "Abacus-ERP" and "Abacus-ERP Browser Edition".
The functionalities are segregated into smaller "programs" that can be started through the AbaMenu. All programs have a Letter + Number combination (e.g. A11, Q908, J6311 etc.)
The Abacus ERP has an enormous amount of functionality with over 500 different "programs".
To start the ULC Abacus program you need the client software "abaclient". It can be installed for free. https://downloads.abacus.ch/downloads/abaclient
Launch URL - https://bug-bounty1-1.shop.abanet.io/
Abacus-ERP Browser Edition
Abacus-ERP Browser Edition contains around 10% of all programs and does not need the abaclient software. It will be the future and is in active development. It is based on the same technology as the myAbacus Portal solution, Vaadin.
Launch URL - https://bug-bounty1-1.shop.abanet.io/
MyAbacus Portal
Server: https://bug-bounty1-1.shop.abanet.io:443
Mandant: 9999
The below outlines each portal contained within the MyAbacus Portal environment.
HR Portal
The HR portal is intended for employees of the company. Employees can manage their work time, expenses, personal data, holidays and a lot more.
Multiple views all about the employee and their position in the company:
Depending on the position of the employee, different views are visible. The HR Lead can see more details about other employees as the normal workforce.
Finance Portal
Allows employees access to the financial overview for the company. It hosts reports to look into the past or make budgets for the future.
Multiple Views about the finances of the company. Only MyAbacus2 and MyAbacus3 have access.
CRM Portal
The CRM portal allows employees access to the addresses of customer or partners. Further is home of the Activity / Lead Management.
Multiple views about Customer Relation Management:
All employees have access to the addresses, activities and leads of the company.
Portal SCM
Multiple views about the infrastructure of the company and their order and service management. Service technicians can process fault and maintenance orders and view service object information. Multiple views can be seen by MyAbacus2 and MyAbacus3. Service Orders are already created and can be commented. There is a PDF Sketch Application where you can overlay Comments in a PDF File.
ORDE Portal
Allows users to create and manage quotations as well as sales orders. It also supports the further processing of these documents throughout the sales workflow. Multiple views about the order management of the company.
Note: HTML injection reports are not eligible for bounty rewards. The ability to inject HTML is an intended feature of our web portals and is used to support dynamic content rendering. Reports solely based on HTML injection without demonstrating a security impact such as cross-site scripting (XSS), privilege escalation, or data leakage will not be considered valid under this program.
Abacus API
Scope Insights (API)
The following points outline technical areas of interest and potential vectors for investigation during the bug bounty program. Participants are encouraged to explore the topics below during their assessment:
API Version Differences - Two major API versions are in use: v1 and v2. Differences in responses, available filters, and data handling between these versions are of particular interest.
OData Query Parameters - OData parameters such as $filter, $expand, and $select are supported and may be entry points for injection-related vulnerabilities. Testing unexpected input patterns is encouraged.
Resource Access and Authorization - Access to specific resources is restricted based on user permissions. However, it is recommended to test whether API calls from other collections can improperly access protected resources.
AbaReport Functionality - The AbaReport feature allows report generation in XML, JSON, and TXT formats. Testing for possible manipulation of report contents, inclusion of unintended data, and abuse of the report generation process is encouraged.
"Other Endpoints" Collection - The REST APIs listed under the "Other Endpoints" collection are not part of the defined bug bounty scope. However, if these endpoints are accessible with the existing user roles, it may indicate gaps in authorization enforcement.
OData Protocol Version - The application is using OData v4.0, whereas the latest version is v4.1. Investigating the protocol differences may uncover exploitable limitations or legacy behavior in the older version.
OData API
Abacus API on the OData 4.0 Specification, core datasets to allow customers and 3rd Parties to simply integrate into Abacus ERP.
https://apihub.abacus.ch/odata
C:H I:H A:H for this asset only
Other APIs
A collection of various API endpoints with different use cases from service health checks to full mandant provisioning. The Confidentiality, Integrity and Availability is vastly different from API to API because some are only used in hosting environments available in secure networks and not by customers.
https://apihub.abacus.ch/endpoints/notodata
All (sub) domains and services that are not explicitly listed, are not in scope.
Everything that is not mentioned under https://apihub.abacus.ch/rest, for example ODBC Interfaces or AbaConnect, are out of Scope.
Further out of Scope, are all endpoints that are not starting with "/api/*", if not explicitly mentioned in the parts "OData Endpoints" or "Other Endpoints"
Any connected 3rd Party System to the myAbacus Portal.
The following incomplete list of services are out of scope:
Source Code
Source code is available at https://downloads.abacus.ch/downloads/servicepacks/version-2025
Shared Space Warning
This is a shared environment with a limited number of distinctive users. Please be aware to not interfere with other bug bounty hunters. Only delete or write data if needed.
Important Note
Where there is a finding on the MyAbacus scope and if this is also present on the BDO Implementation, it will be only rewarded by Abacus. Should the issue be on BDO's implementation and not Abacus's it will be awarded by BDO only. Should you submit the same finding on both programs one submission will be marked as informative and closed. If you have any questions please get in touch: [email protected]
The organisation gives their approval for security researchers to use hacking methods based on the specified briefing. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the security researchers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.
| Severity | Bounty |
|---|---|
| Critical | CHF 2600-5000 |
| High | CHF 1000-2600 |
| Medium | CHF 400-800 |
| Low | CHF 50-150 |