Reward

BountyHall of fame

€100 Low €100 Medium €600 High €2,000 Critical €7,000

Program

Avg reward €719.34

Max reward €15,000

Scopes42

Supported languagesEnglishFrench

Hacktivity

Reports1949

1st response < 1 day

Reports last 24h31

Reports last week105

Reports this month146

Program description

Program activity

About us and our program

Us at Infomaniak

Infomaniak is Switzerland's largest web-hosting company, also offering live-streaming and video on demand services. Founded in 1994, Infomaniak is an independent company wholly owned by its founders and employees. Not only are 70% of their employees highly qualified engineers, they also focus systematically on internal development and open source solutions to design their products. Guaranteeing the security and confidentiality of the data entrusted to them is one of their priorities.

Infomaniak’s News

Hey Hunters 📣

✨ Big news! Our brand-new Newsletter Builder is now live — and yes, we want you to break it.

We rebuilt it from the ground up for maximum flexibility, pixel-perfect designs, and professional visuals

🔍 What to hunt:

XSS in email content, subject lines, or preview mode
Template injection or HTML/JS escaping bypasses
Authentication & permission flaws (can you edit someone else’s template?)

Be the first to find the flaw — and get paid for making our builder even stronger 💪

Link : https://www.infomaniak.com/en/marketing-events/newsletter-tool

Happy hunting! 🏹💥

Infomaniak’s Challenges winners

Challenge #6 : Node.js Hosting > in progress... ⏳

Challenge #5 : Managed Kubernetes service > in progress... ⏳

Challenge #4 : Email Encryption via kSuite > in progress... ⏳

Challenge #3 : MyKSuite > Our challenge has been won by ** b0unc3**, congratulation 🎉🏆

Challenge #2 : Mobile and Desktop apps > Our challenge has been won by MrTuxracer, congratulation 🎉🏆

Challenge #1 : Radio Streaming and Hosting Products 👋 😀 > Our challenge has been won by two winners ex-aequo Rabhi and ** Ertugrul**, congratulation on nice vulnerabilities in our radio product !

Challenges

Challenge #6 : Node.js Hosting

We’ve just added our Node.js hosting platform to the scope of our bug bounty program — and we’re launching a dedicated challenge!

🧪 You can start testing right now with 30 days of free access:

👉 https://www.infomaniak.com/en/hosting/nodejs-hosting

📚 Not sure how to get started? Check out the documentation here:

👉 https://faq.infomaniak.com/2537

💰 Bonus reward: The first valid report on this new perimeter will receive a +50% bounty bonus.

This is a great opportunity to explore a new environment and make an impact. We’re counting on your insights.

We look forward to your findings.

Challenge #5 : Managed Kubernetes service

We are thrilled to announce the launch of our new product: Managed Kubernetes service ☸️ ! We invite all bug hunters to test this product here: https://www.infomaniak.com/en/hosting/public-cloud/kubernetes

It comes with a free trial offer, so you can use it to kickstart your testing !

Additionally, we are offering a 50% bonus for the first report submitted within this scope. So, don't hesitate to dive in and explore this exciting new product.

We eagerly await the results of your tests and are confident that your efforts will help us enhance our platform even further.

Challenge #4 : Email Encryption via kSuite

We’re excited to announce that email encryption is now live in production on our kSuite platform. This major security enhancement ensures stronger protection and confidentiality for all emails sent via kSuite.

As part of this launch, we’re opening a new challenge on this perimeter!

You can test and hunt for vulnerabilities using :

Your myKSuite account (free to use)

Any kSuite Pro offer

💰 Bonus alert: The first valid report on this new perimeter will receive a +50% reward bonus on top of the regular bounty.

📚 To learn how to use email encryption, check out the official guide: https://faq.infomaniak.com/1582

What we're looking for with this program

We are more than happy to be working with the YWH community to leverage its creativity and expertise in order to improve our products and assets' security. We try our best to provide secure solutions but as security is a constant struggle, we'd like your help in spotting anything that we might have missed !

We are particularly interested in any vulnerability involving the following :

Leaking of personal data
Horizontal / vertical privilege escalation
SQLi
Server misconfiguration
Server-Side Request Forgery
Insufficiently Protected Credentials
Network misconfiguration (between customers and internal servers)

Our program is constantly evolving and our scope expanding, do keep an eye out for new targets to test !

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on our applications, servers, networks or infrastructure are strictly forbidden.
Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic.
Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
Do not copy any files from our applications/servers and disclose them.
No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve our security, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
The report must contain the following elements:
Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and our organisation, and remediation advice on fixing the vulnerability
Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above.
You must not be a former or current employee of our organisation or one of its contractors.
If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded according to your findings.
The triage team will use the "One Fix One Reward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the other weaknesses, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative/Duplicate.

Reward amounts are based on:

Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Specific provisions and testing conditions

About Denial of service

Given our product and context, our customers expect the highest level of availability. Thus DoS/DDoS attacks or brute force attacks are not allowed and we ask you to avoid any test that might disturb our service and customer's servers.

In doubt, please reach out to the team at [email protected]

Openstack products are Out of scope

We use Openstack platform to provide instances, network, databases. You can create resources and find misconfigurations, unprotected data, etc.

Vulnerabilities like XSS in Openstack dashboard (Horizon) are out of scopes.

Vulnerabilities on Ticketing service

We allow our customers to inject JavaScript and html code into certain parts of the online ticketting service shop so that they can add google tag tracking for instance, or external content. This is of course an intended behavior even though it could allow them to inject an XSS payload for example.

Thus, we won’t accept and consider for reward reports linked to vulnerabilities introduced through the ticketing service editor, or another ticketing page/feature by an administrator/technical/sales users that are targeting their own website’s users.

Vulnerabilities on Page editor and site creator

In order to allow full customization of their websites Customers with administrator rights can edit or create pages with Page editor or Site creator and are allowed to inject JavaScript or html code for instance. This is of course an intended behavior even though it could allow them to inject an XSS payload for example.

Thus, we won’t accept and consider for reward reports linked to vulnerabilities introduced through Page editor or Site creator by a website administrator that are targeting their own website’s users.

HTML Injection in emails

These vulnerabilities are not currently of interest to the company and have been temporarily excluded. We are planning to change our templating system.

Business logic

We do not verify users' emails because we aim to provide a free and seamless user experience. Infomaniak offers a kCheck application and feature that can verify user identities in cases where we observe disruptive behavior. This helps us identify and block suspicious users.

Business logic Errors

Vulnerabilities of the 'Business Logic Error' type are not considered within the scope of this bug bounty program. Only serious cases involving leaks of personally identifiable information (PII) or leaks of customer or confidential data will be considered eligible for a reward. Bugs related to user rights on a product, between different products, or to restricted functionality limitations of a product will not be taken into account.

Broken Access Control

Broken Access Control vulnerabilities linked to inconsistencies in rights between administrators, employees or external users are no longer considered within the scope of the programme. Only critical cases involving leaks of information and significant personal data. Or a major impact on the business or financial aspects of our products.

Note regarding AI vulnerabilities

Specific in scope vulnerabilities for AI scope

In addition to the usual vulnerabilities we're also looking for any flaw that might lead to exploits specific to AI models, i.e. :

Influencing and changing the AI model in ways that impact other users
Ability to perturb valid inputs such that the model produces incorrect outputs for other users
Circumventing history protections and history deletion mechanisms to access other users' history
Accessing/revealing the AI model's internal workings and prompts, decision making processes and confidential information
Ability to poison the AI model or its data by tampering with its architecture, training code/data or hyperparameters

Out of scope vulnerabilities for AI scope

In the framework of this program, we're not interested in behaviors that do not pose a direct security concern or that could be considered as an output quality/accuracy issue, i.e. :

AI Command/Prompt Injection attacks that only affect the attacker or generate content that is shown only to the attacker
Model Hallucination attacks, e.g. AI model disclosing falsely confidential data or pretending to run code provided by an attacker
Outputs that could be considered as safety issues, that seem inaccurate or offensive

Out of scope services

The following services are out of the scope of this program :

Housing
Very high availability Hosting
Synology
Jelastic cloud
Safe tracing
Web FTP https://manager.infomaniak.com/ftp
Debian community servers : example with buster-.infomaniak.ch, bookworm-.infomaniak.ch

Site creator scope

We provide Site Creator instances for hunters to test:

https://5k8vrbdyje.infomaniak.site

https://tb7pxbdyjg.infomaniak.site

https://fv3lfbdyjh.infomaniak.site

https://l75pvbdyjo.infomaniak.site

Our customers' site creators are not part of the programme and we ask you not to test them.

Mobile and desktop applications

Android kDrive https://github.com/Infomaniak/android-kDrive

Android kMail https://github.com/Infomaniak/android-kMail

iOS kDrive https://github.com/Infomaniak/ios-kDrive

iOS kMail https://github.com/Infomaniak/ios-kMail

Desktop kDrive https://github.com/Infomaniak/desktop-kDrive

Reports of leaks and exposed credentials

We are open to some types of reports related to exposed secrets, credentials or information.

Please pay attention to our list of Qualifying/Non-Qualifying vulnerabilities, as well as our Scope and the following rules.

In order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers

Disclosed information like credentials, emails, calendar invitation, guest invitation link, swisstransfer public link, kdrive public link, vod public link from this sources are not accepted :

archive.org
wayback machine
virusTotal
google dorking

Eligible reports

Reports of exposed secrets, credentials and sensitive information will be considered eligible if it complies with the following:

The source of exposure/leak is under our company’s control, directly or indirectly, e.g. stolen information or bundled information from a random source is not eligible.
The exposed information has been verified (or tested) and confirmed

If you identify a source (under our control) that is leaking multiple data, we kindly ask you to report it in a single report and we will consider the impact based on the nature and depth of the exposed data.

Reward

Asset value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical | Critical | €100 | €600 | €2,000 | €7,000 | High | €100 | €400 | €1,500 | €3,500 | Medium | €100 | €300 | €600 | €1,000 |

Systemic issues

1st report100% 2nd report100% 3rd report75% 4th report50% 5th report25% 6th+ report10%

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

More info

Scopes

Medium €600

High €2,000

Critical €7,000

Medium €600

High €2,000

Critical €7,000

| api.infomaniak.com | API | Critical | | Low €100

Medium €600

High €2,000

Critical €7,000

Medium €600

High €2,000

Critical €7,000

| manager.infomaniak.com/v3/* | Web application | Critical | | Low €100

Medium €600

High €2,000

Critical €7,000

Medium €600

High €2,000

Critical €7,000

Medium €600

High €2,000

Critical €7,000

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €400

High €1,500

Critical €3,500

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €300

High €600

Critical €1,000

Medium €400

High €1,500

Critical €3,500

Medium €300

High €600

Critical €1,000

Out of scopes

Assets not listed in the in scope section are to be considered as out of the scope of this program and won't be eligible for reward
https://api.pub1.infomaniak.cloud
We do not manage Open Stack dashboard which is therefore out of scope
ov-XX.infomaniak.ch and od-XX.infomaniak.ch sub domains
This domain https://drive.infomaniak.com/app/office/:folder:/:file: is out of scope. This is only office application, an external app to open MS office documents.
FTP credentials from our customers, like *.ftp.infomaniak.com
VPS instances from our customers, like *.vps.infomaniak.com
MySQL credentials from our customers, like *.myd.infomaniak.com
Jelastic subdomains : *.jcloud.ik-server.com, *.jpc.infomaniak.com, *.jpe.infomaniak.com
User email verification
Websocket IPS-public credentials. Public identifiers that do not allow access to information outside the scope of the user's profile.
S3 credentials from our customers, like s3.pub*.infomaniak.cloud
Database service instances from customers, like *.dbaas.infomaniak.cloud

Vulnerability types

Qualifying vulnerabilities

SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Remote Code Execution (RCE)
Insecure Direct Object Reference (IDOR)
Horizontal and vertical privilege escalation
Authentication bypass & broken authentication
Business Logic Errors vulnerability with real security impact
Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
Cross-Origin Resource Sharing (CORS) with real security impact
Cross-site Request Forgery (CSRF) with real security impact
Open Redirect
Exposed secrets, credentials or sensitive information from an asset under our control
Influencing and changing the AI model in ways that impact other users
Ability to perturb valid inputs such that the model produces incorrect outputs for other users
Circumventing history protections and history deletion mechanisms to access other users' history
Accessing/revealing the AI model's internal workings and prompts, decision making processes and confidential information
Ability to poison the AI model or its data by tampering with its architecture, training code/data or hyperparameters

Non-qualifying vulnerabilities

Infomaniak Mirror Server
HTML Injection in emails
Sandboxed XSS without working PoC
Tabnabbing
Missing cookie flags
Content/Text injections
Mixed content warnings
Clickjacking/UI redressing
Denial of Service (DoS) attacks
Known CVEs without working PoC
Open ports without real security impact
Social engineering of staff or contractors
Presence of autocomplete attribute on web forms
Vulnerabilities affecting outdated browsers or platforms
Self-XSS or XSS that cannot be used to impact other users
Self-XSS or XSS on Page editor
Outdated libraries without a demonstrated security impact
Any hypothetical flaw or best practices without exploitable PoC
Expired certificate, best practices and other related issues for TLS/SSL certificates
Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
Reports with attack scenarios requiring MITM or physical access to victim's device
Missing security-related HTTP headers which do not lead directly to a vulnerability
Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
CSV injection
HTTP Strict Transport Security Header (HSTS)
Subdomain takeover without a full working PoC
Blind SSRF without direct impact (e.g. DNS pingback)
Lack of rate-limiting, brute-forcing or captcha issues
User enumeration (email, alias, GUID, phone number)
Password requirements policies (length / complexity / reuse)
Ability to spam users (email / SMS / direct messages flooding)
Disclosed / misconfigured Google API key (including Google Maps)
Recently disclosed 0-day vulnerabilities (less than 14 days since patch release)
Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
Password validation for actions like deleting user, changing settings, etc
Task Hijacking
Crashing your own application
Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
Lack of client-side protections on mobile binaries: SSL pinning/binary protection/code obfuscation/jailbreak detection/root detection/anti-debugging controls/ etc
Lack of encryption on internal databases/preference files on mobile device
Exploits that are only possible on Android versions that are not currently supported at the time of the emission of the vulnerability report
Exploits that are only possible on IOS versions that are not currently supported at the time of the emission of the vulnerability report
Exploits that are only possible on a jailbroken/rooted device
Generic Android or iOS vulnerabilities
Race condition without Critical risk for PII
Business logic Errors without Critical risk for PII or confidential data
AI Command/Prompt Injection attacks that only affect the attacker or generate content that is shown only to the attacker
Model Hallucination attacks, e.g. AI model disclosing falsely confidential data or pretending to run code provided by an attacker
Outputs that could be considered as safety issues, that seem inaccurate or offensive
Any issue that relies on the user installing/using an unofficial or malicious version of our mobile and desktop applications

Reports of leaks and exposed credentials

More info

Type of leak Source of leak is in-scope Source of leak belongs to the Organization and is out-of-scope Source of leak does not belong to the Organization and is out-of-scope

Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible

Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Eligible Not eligible

Hunting requirements

Account access

Most if not all our products are available to test for free and if not you can subscribe for a reasonable price. Thus, you're more than welcomed to self-register on our applications for the purpose of your tests.

Please use your YWH aliases (*@yeswehack.ninja) for your main account and subaccounts as it'll greatly help us process your reports. You can retrieve your aliases https://yeswehack.com/user/my-yeswehack/email-alias.

User agent

Please append to your user-agent header the following value: ' Infomaniak-YWH-Bugbounty '.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see [https://helpcenter.yeswehack.io/hunter/hunter-collaboration](help center). Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account. /programs/infomaniak-bug-bounty-program/create-report