OX App Suite
Building a borderless Internet that is open, safe and free.
Reward
Program
Hacktivity
Company
Open-Xchange is a leading provider of communication, security and productivity platforms. We are committed to a borderless Internet that is open, safe and free, allowing users to protect their own data and privacy. To achieve this goal, we build open-source software, which is the sole scope of this bounty program. OX App Suite is our SaaS-based web service to collaborate and manage business information.
Since our APIs and source code are both publicly documented and exposed, we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time, we're delivering our software in a way that it comes with secure defaults. For this program, we offer access to a hosted sandbox and also invite you to install our software on your premises for research, contribution and usage.
We also run bug-bounty programs for our other products:
Program Rules
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
- If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
- Any type of denial of service attacks is strictly forbidden, as well as any interference with our infrastructure.
- We are providing you access to a sandbox environment to make research easier. This has some security controls disabled (2FA, CSP...) to make it easy to validate findings. Those are intentional and don't qualify for bounty.
- The sandbox environment will re-set itself once a week. Do not store valuable information there.
- You can set up a lab environment for your own research based on public software packages, containers and source-code. However, we will not accept reports which are specific to your lab's configuration and cannot be reproduced on our deployments.
Moreover you must avoid:
- Tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
- Editing our public wiki on GitHub.
- Uploading, sending or injecting malware to Open-Xchange and contractors
- Using data acquired by compromising customer or employee accounts
Vulnerabilities which have already been reported to us (including reports received outside YesWeHack, for example from -customers or penetration tests) are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.
The triage team will use the "One Fix One Reward" process: if two or more endpoints use the same code base and a single fix can be deployed to fix all the others weaknesses, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. We reward based on vulnerability, not per endpoint.
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of App Suite, however, only those that meet the following eligibility requirements may receive a monetary reward.
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below)
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots as necessary. PoC exploit code is highly appreciated.
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of Open-Xchange or one of its contractors.
- Reports about vulnerabilities are examined by our security analysts.
- Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
- When reviewing source-code, the "main" or "master" branches represent the current versions that are available as packages and on the sandbox environments. Only reports for those branches will be eligible for bounty, if there is a master and main branch, the main branch takes precedence.
- For packages the last two released minor versions are eligible for bounty.
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program scope and identified outside of our program scope, such as:
- Exposed credentials in/from an out-of-scope asset/source
- Sensitive information exposed in/from an out-of-scope asset/source
- Credentials provided on purpose, for example access to a Sandbox installation
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees.
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program scope
- Exposed PII on an out-of-scope asset
Source of leak is in-scope | Source of leak belongs to Open-Xchange but is out-of-scope | Source of leak does not belong to Open-Xchange and is out-of-scope | |
---|---|---|---|
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not Eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not Eligible | Not Eligible |
Important precautions and limitations
As a complement to the program rules and testing policy :
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they will not be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.
Sandbox installation
We're offering a hosted sandbox environment for you to execute research using shared accounts. Please note that other researchers may access and use your data on a shared account. The environment will reset each Sunday at 06:00 UTC, so please make sure to keep backups of your research.
Mail delivery on this environment is inbound and local-only, which means you cannot send mail to external addresses. However, you can send E-Mail to the accounts, between the accounts as well as using IMAP and SMTP to connect to the mailbox using the same host and credentials as used for web access. Furthermore no anti-virus or anti-spam solution is being used to ease research.
You can obtain user-level access to the sandbox installation using credentials from the list below.
Account semantics
Access is controlled through user-accounts, like "user.one@sandbox-1.open-xchange.com". Besides the obvious representation as an E-Mail Address, this format has semantics which are valuable to know for your research.
The @ is a user and "context" (tenant) delimiter, where the first part represents the user account and the second part defines the context. All users within the same context can "see" each other within the application, but are separated from other contexts. As an example, "user.one@sandbox-1.open-xchange.com" and "user.one@sandbox-2.open-xchange.com" are two fully separated user accounts, while "user.one@sandbox-1.open-xchange.com" and "user.two@sandbox-1.open-xchange.com" can work together within the same context and are supposed to access shared data.
Non-web access
Using UA identifier tokens of popular CalDAV/CardDAV/WebDAV clients (e.g. "Lightning" or "DataAccess") will internally redirect requests at https://sandbox.open-xchange.com/ to our DAV servlet rather than providing access to the web interface. For research, you can use https://sandbox.open-xchange.com/servlet/dav directly. Using https://sandbox.open-xchange.com/servlet/webdav.infostore grants access to WebDAV based file access to "Drive".
Software packages
You can use on-premise installations of our software free of charge and have a look at its inner workings. We expect that you're using up-to-date versions of our software and related services, hardened configurations as well as a set of strong credentials.
Learn more from overviews and guides at https://oxpedia.org/ and find an installation script at https://gitlab.open-xchange.com/qa/ox-installer. Technical documentation is provided at https://documentation.open-xchange.com/.
Source-code
Source-code can be cloned via Git from our public GitLab repositories:
Mind that each component has various integration points, APIs and subcomponents that are in scope. Mind that not all repositories are in scope for this program (See: "Out-Of-Scope"). Please refer to our documentation to learn more.
Rating and Disclosure
We use CWE, CVE, CVSS to rate and categorize vulnerabilities. Any vulnerability will be publicly disclosed after sufficient time has passed for operators to deploy updates. Advisories use CSAF and will be published on our update sites, mailing-lists and external mailing-lists like fulldisclosure. Please understand that we handle the full disclosure process and expect that you do not disclose any findings yourself, we will include researcher credits if requested.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€250 | €750 | €2,000 | €5,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://sandbox.open-xchange.com | web-application | ||
Low Medium High Critical | |||
https://sandbox.open-xchange.com | api | ||
Low Medium High Critical | |||
GitLab and GitHub repos listed on this page | other | ||
Low Medium High Critical |
Out of scopes
- All domains which are not listed as "Scopes", especially any production system operated by customers
- Everything that is not directly related to the application or source-code in scope (e.g. GitHub, domain settings)
- Antivirus and anti-spam filtering on the sandbox environment, this has been disabled to avoid research disruption
- The components "imageconverter", "documentconverter", "spellchecker" and "cacheservice" are temporarily out of scope.
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Code injections (HTML, JS, SQL, ...)
- Cross-Site Scripting (XSS)
- Cross-Site Requests Forgery (CSRF) with real security impact
- Open redirect
- Clickjacking/UI redressing
- Broken authentication & session management
- Insecure direct object references
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Non-qualifying vulnerabilities
- SSL/TLS best practices
- Denial of Service attacks
- Software version disclosure
- Stack traces or path disclosure
- Physical or social engineering attempts, including phishing
- Recently disclosed 0-day vulnerabilities
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Issues that require physical access to a victim’s computer/device
- Incomplete or missing SPF/DKIM/DMARC records for the sandbox environment
- Reports for outdated versions of our software (more than two minor versions old)
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Findings that do not have considerable impact on availability, confidentiality and integrity
- Reports from automated web vulnerability scanners (Acunetix, Vega, Burp, Nessus, etc.) that have not been validated
- Spamming, harassment or any other kind of unauthorized communication
- Legacy and unsupported versions
- Any physical attempts against our employees, property or datacenters
- Purposely weakening the default configuration of our components, vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access
- Vulnerabilities of third-part components, websites or DNS configuration
- "Jailbroken" devices may be used to ease research, flaws that require a device to be jailbroken are not in scope, however
- Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program scope
Hunting requirements
Account access
We offer to use shared accounts for your research. Those get reset once a week. Please pick as many as you need but do not change passwords on those. The password for all of them is "secret" and you can log-in at https://sandbox.open-xchange.com.
There are six contexts with five user accounts each, 30 accounts in total. This list is condensed due to content length limitations.
oxadmin@sandbox-1.open-xchange.com
user.one@sandbox-1.open-xchange.com
user.two@sandbox-1.open-xchange.com
user.three@sandbox-1.open-xchange.com
user.four@sandbox-1.open-xchange.com
user.five@sandbox-1.open-xchange.com
...
oxadmin@sandbox-6.open-xchange.com
user.one@sandbox-6.open-xchange.com
user.two@sandbox-6.open-xchange.com
user.three@sandbox-6.open-xchange.com
user.four@sandbox-6.open-xchange.com
user.five@sandbox-6.open-xchange.com
Accounts can be used by more than one researcher at the same time. If you feel like one account is too crowded, please pick another one.
User agent
Please append to your user-agent header the following value: ' -ywh-bugbounty-appsuite '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.