Introduction

This project has been sponsored by the European Commission as part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.

This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.

Note: This program has now been extended for a further two months until 6th of July 2019

Disclosure Policy

• Follow HackerOne's disclosure guidelines.
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Please provide detailed reports with reproducible steps demonstrating a plausible exploitation scenario.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• The project maintainers have final decision on which issues constitute security vulnerabilities. We will respect their decision, and we ask that you do as well.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of staff or contractors

Goals

The main goal is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.

Scope

• MidPoint software as built from midPoint project master branch, without any custom code extensions or changes.
• Researches are free to modify midPoint configuration, as long as such modifications are reasonable from the security point of view. I.e. attempts to cause security issue by deliberately mis-configure the system will not qualify for the bounty (see “Out Of Scope” section below).
• Identity connectors bundled with midPoint distribution (LDAP, AD, CSV, DatabaseTable)
• The PoC must work on the master branch of midPoint, or the latest build. Older builds are explicitly out of scope. If an issues is discovered in older midPoint version, it must be reproducible on the latest build from project master branch. Although the development team will be grateful for bug reports concerning older (but still supported) versions of midPoint, those issues do not qualify for bounty unless they can be reproduced on a master branch.

Out of Scope

• Known bugs listed in our public Jira instance (http://jira.evolveum.com/).
• Custom or non-bundled identity connectors.
• Issues caused by malicious code extensions (modified or extended midPoint code, e.g. by using maven overlays)
• Issues caused by malicious expressions configured by system administrator, especially issues caused by configuring malicious scripting expressions.
• Issues caused by deliberate misconfiguration of the system by system administrator, e.g. cases when powers of system administrator are used to set up weak authorization statements.
• Default configuration of midPoint instance. As security is always relative to specific deployment, default configuration of midPoint is not meant to be perfectly secure. It is meant as a starting point to create a secure configuration. Only issues with a severe impact can qualify if they are caused by default system configuration.

Description

MidPoint is an identity management and governance system. It is a comprehensive system that synchronizes several identity repositories and databases, manages them, makes them available in a unified form, manage roles, authorizations, entitlements and implements almost every aspect of identity management and governance. It belongs to the "management" part of Identity and Access Management (IAM) field.

The most important features of midPoint are:

• User provisioning and deprovisioning: midPoint can automatically create and manage user accounts, groups, organizational units and so on.
• Identity synchronization and reconciliation: midPoint can seamlessly synchronize several databases. It can make sure that the identity data are always up to date.
• Identity management process automation: midPoint has a built-in engine that can drive approval of access requests.
• Role-based access control (RBAC): midPoint can automatically compute user privileges based on their membership in roles.
• Management of identity-related parts of the enterprise security policy: midPoint can check password quality, maintain segregation of duties, and so on.
• Support for security auditing and reporting: midPoint keeps an audit trail of all changes to user privileges. It has a built-in reporting engine to generate reports for identities collected from all the connected systems.
• Non-intrusive integration using identity connectors: midPoint connectors are simple pieces of code that allows it to remotely connect to other system and manage identity data. The connectors are non-intrusive: the connected system does not need to be changed.
• Management of organizational structure and its synchronization to other systems.
• Identity governance: Management of complex policies that govern business aspect of identity management.

More information: https://wiki.evolveum.com/display/midPoint/Introduction

Test Environment

There are several options to set up a testing environment for the research. However, there are two recommended methods: build from source code and use of docker images.

From Source

First approach is the classic method of building midPoint from the source code, deploying and configuring it. Fresh bild from midPoint master branch should be used for this kind of testing. In this case proper system configuration is the sole responsibility of the researcher (please note that the default system configuration is not designed to be completely secure).

MidPoint source code: https://github.com/Evolveum/midpoint

Docker

Second approach is taking advantage of pre-built midPoint docker containers. MidPoint docker images are built as part of midPoint automated CI process. Those images are available for testing. There is a “clean” image that contains only default midPoint configuration. There is also a planned release of an image with pre-configured scenarios.

Even for docker-based installation, it is a responsibility of the researcher to make sure that midPoint configuration is appropriate for the specific use case that the researcher is exploring. Configuration of MidPoint docker container is not meant to be complete and production-ready configuration, it is meant for demonstration purposes and as a basis to create specific deployment configurations. The researches are expected to make sure that midPoint configuration is appropriate for their test cases.

Details about midPoint docker containers: https://wiki.evolveum.com/display/midPoint/Dockerized+midPoint https://wiki.evolveum.com/display/midPoint/Simple+demo (Contains demo data)

For all testing cases it is strongly recommended for the researcher to get familiar with midPoint concepts, mechanisms and configuration. In-depth study of midPoint book and documentation is an essential part of preparation for the testing.

MidPoint book: https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/ MidPoint documentation: https://wiki.evolveum.com/display/midPoint/Documentation

PoC details

The PoC must work on the master branch of midpoint.git (HEAD), or the latest distribution build (4.0). Stable versions or older nightly builds are explicitly out of scope. Vulnerabilities that have patches available publicly are not taken in account.

The PoC must work on the latest version of Windows, macOS, Linux, and the security features of the platform (ASLR, etc.) must not be disabled.

PoC that works only with ASLR disabled will be denoted in severity, but might be accepted.

Rewards

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.

---

A bonus structure is in place from the 14th of June to 6th July 2019

Critical severity bugs - €3000 €4500

High severity bugs - €1500 €1950

Medium severity bugs - €500 €650

Low severity bugs - €150 €195

---

Bonus

There is a 20% bonus for including a fix in the report, when accepted by the maintainers.

Note: The 20% bonus is calculated off the new bonus structure.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep MidPoint and our users safe!

If you have any questions or concerns on this Challenge, please contact [email protected].