Cryptobox Bug Bounty Program
What is Cryptobox?
Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption.
You can securely access your documents from any device, control your data and costs with a scalable architecture and a patented security solution. Cryptobox can be deployed on premises, in the cloud or in a hybrid model depending on customer architecture requirements.
Share, collaborate and exchange end-to-end encrypted documents with colleagues or external partners!
- Safely exchange data and documents through end-to-end encryption
- As a workspace owner, maintain control by defining the roles of each member
- Ensure that each user can access only what they are entitled to see
- Accessible across multiple devices and browsers
Add-on Options available:
- Deposit box: Each user can create and share a unique, secure 'deposit box' link, allowing anyone who doesn't necessarily have an account to upload documents directly into Cryptobox with just 1 click.
Security
Cryptobox has been qualified by ANSSI for use at the "restricted" level, and certified at the Common Criteria EAL3+ level.
Ercom is convinced that working with skilled security hunters around the globe is a relevant part of the flow remediation process dedicated to maintain a high security level.
Rules
What hunters must do
- All program rules must be agreed and complied with by hunters.
- All tests shall be done following the processes set by YesWeHack.
- Ercom provides a dedicated test platform for vulnerability assessment at https://bounty.cryptobox.com. This is the only platform that shall be challenged.
- Each hunter will get access to 2 accounts, so that hunters can try attacking one of their account from the other.
What hunters must not do
- Tests not compliant with rules of YesWeHack will not receive any reward, and will be deemed illegal.
- Hunters must not violate any local, state, national or international law.
- Hunters must not attack other accounts than one of theirs.
- Hunters must not use social engineering attacks.
- Hunters shall not use more than 1 GB per account.
- All documents provided to the hunters are currently confidential and shall not be disclosed.
- Hunters shall not publicly disclose the bug until Ercom has confirmed the bug is fixed. Even then they shall not make exploits publicly available unless required by law or with Ercom's written permission.
Supported browsers
- Current versions of Firefox, Chrome and Edge.
Supported apps
- Cryptobox for Android
- Cryptobox for iOS
Important Note
Cryptobox is a product that can be deployed either on premise or in the cloud, with one platform being deployed for a given company. It is expected that users of a given Cryptobox platform have access to each other information. This includes the email address, first name, last name and public certificates. In the context of this bug bounty, we deployed one dedicated platform at https://bounty.cryptobox.com for all hunters. As a consequence, please be aware that your account information (first name, last name, email) will be visible by all other hunters.
Rewards
Ercom will pay rewards at Ercom's discretion for a serious and reproducible vulnerability. Submissions will be evaluated in regard to the impact of uncovered vulnerabilities to these assets. Hunters are responsible for any applicable taxes associated with any reward you receive. Any report that results in a change in our code base will be rewarded, at minimum, by a €100 reward. Only the first hunter who finds a given vulnerability is eligible to get a reward.
Please note that we may modify the terms of this program or terminate it at any time.
Reward Structure
| Asset Value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical |
|---|
| Medium | €100 | €1,000 | €3,000 | €5,000 |
Reports of Leaks and Exposed Credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program's scope and identified outside of our program's scope, such as:
- Exposed credentials in/from an out-of-scope asset/source
- Sensitive information exposed in/from an out-of-scope asset/source
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program's scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program's scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program's scope
- Exposed PII on an out-of-scope asset
Leak Source vs Impact Table
| Source of leak is in-scope | Source of leak belongs to Ercom but is out-of-scope | Source of leak does not belong to Ercom and is out-of-scope |
|---|
| Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not Eligible |
| Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not Eligible | Not Eligible |
Important Precautions and Limitations
As a complement to the Program's rules and testing policy:
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they won't be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.
Scope
Out of Scope
- Testing any other system than https://bounty.cryptobox.com, in particular *.cryptobox.com or *.ercom.fr.
Vulnerability Types
Qualifying Vulnerabilities
- Any attack allowing to access another user password, including by attacking the trustee mechanism for account recovery
- Any attack allowing to access files/messages stored in a workspace/conversation you are not part of
- Any attack allowing to bypass user permissions in a workspace (e.g. update documents if you only have reader permission, or add users if you only have member permissions)
- Any attack allowing you to access a file shared without knowing the sharing key
- Any attack allowing to alter the file history
- Any attack allowing to extract the private device keys used in the mobile applications
- Cross-Site Scripting (XSS)
- SQL injections
- Remote Code Execution (RCE)
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Authentication bypass & broken authentication
- Business Logic Errors vulnerability with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Origin Resource Sharing (CORS) with real security impact
- Cross-site Request Forgery (CSRF) with real security impact
- Open Redirect
- Exposed secrets, credentials or sensitive information from an asset under our control
Non-Qualifying Vulnerabilities
- Ability for an authenticated user to enumerate user accounts information (email, first name, last name, public certificates) on the same platform
- Ability for an un-authenticated user to test if an account exists on the server
- Ability for members with the viewer role to extract files using the browser
- Ability for users to share malicious files with other users (Cryptobox being an end-to-end encrypted file sharing service, the server cannot have access to shared payload or even file extensions. We have an optional feature based on a specific client integration though, but it is not enabled on the platform dedicated for the bug bounty)
- Denial of Service vulnerabilities, lack of rate limiting, brute force attacks
- Client applications remains connected without time limit
- Tabnabbing
- Known CVEs without working PoC
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Outdated libraries without a demonstrated security impact
- Any hypothetical flaw or non followed best practice without exploitable PoC
- Reports with attack scenarios requiring physical access to victim's device
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions)
- Password requirements policies (length / complexity / reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)
Hunting Requirements
Account Access
You can register using your YesWeHack email alias (@yeswehack.ninja) on the dedicated platform at https://bounty.cryptobox.com.
To find your email aliases, go to https://yeswehack.com/user/tools/email-alias
Please note that as documented in the program description, the name and email address you provide during registration will be visible from other hunters.
Hunter Collaboration
When submitting new reports, you can add up to 5 collaborators, and define the reward split ratio. For reports that have already been rewarded, it is not possible to redistribute the rewards.