Northern.tech makes software products to secure the world's connected devices. We are interested in real and exploitable vulnerabilities which could damage us and our customers.
For examples of previously discovered, accepted and fixed security vulnerabilities, see our websites:
mender.io/blog/tag/cve
cfengine.com/tags/cve/
Area of focus
We are interested in security bugs with real world impact, such as:
- Bypassing authentication / login screen and taking over someone's account.
- Bypassing access control to gain access to resources you should not have access to.
- Privilege escalation.
- Taking over control of the Mender Server or CFEngine Hub from a device / host.
- Bypassing the signature check for verifying signed artifacts in Mender.
Disclosure policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
Program rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Ask the program team before submitting vulnerabilities on unscoped subdomains
- Only interact with accounts you own or with the explicit permission of the account holder.
Report submission
Submitting good reports helps us efficiently read and understand your reports.
- Please try to keep reports short and to the point. Utilizing AI can generate very long reports for no benefit, for an issue that could be explained in a couple of sentences.
- We welcome submissions from hackers who do not have English as their native language. We recommend submitting a report which you wrote, instead of using AI to try to make it "better". Spelling and grammar mistakes are okay! Submitting a report in your native language is also okay.
- Screenshots and video recordings are great to illustrate a point.
Common reasons why reports are rejected
Avoid making these mistakes:
- AI source code hallucinations - Commands and source code with syntax errors, generated / hallucinated by AI and never tested by the user.
- AI factual hallucinations - The reports contains sentences and facts that are simply wrong, showing that the user / AI does not know what they are talking about.
- Working as intended - The report describes an API, feature, or functionality working exactly as intended. There is no security impact.
- Out of scope - The report describes something which is explicitly mentioned under the scope exlcusions, or HackerOne's Core Ineligible Findings
- Suggestion for improvement - The report does not describe a vulnerability, but rather a security-related suggestion. This includes suggestions to reduce token expiration time, adding additional authentication steps, and similar.
Test plan - Hosted Mender (Saas)
- Users are able to sign up for a free account through our website; staging.hosted.mender.io
- Please use your hacker email alias when testing ([email protected])
- Do not test on the production instance
- Do not perform testing which generates excessive network traffic (such as password brute-forcing, DoS, DDoS)
- Researchers should add headers to requests such as: “X-HackerOne-Research: [H1 username]”
Test plan - Open Source repositories
We have open source repositories where you can read the source code to find issues:
Test plan - CFEngine Enterprise
CFEngine Enterprise can be downloaded from our website and run locally or on a cloud VM:
https://cfengine.com/downloads/cfengine-enterprise/
Instructions for getting started are available in our documentation:
https://docs.cfengine.com/docs/3.24/getting-started.html
Thank you for helping keep Northern.tech and our users safe!
