Reward
Program
Hacktivity
🚝 Introduction
SNCF Connect is a website and application offering an all-in-one mobility service. It is used for buying tickets (trains, urban transports, buses, etc.), for searching itineraries or for checking passenger information you need during your trip: e-tickets, real-time timetables, live traffic information, etc. With more than 1.3 billion visits and 209 million tickets sold in 2023, SNCF Connect makes it possible to manage end-to-end travel. SNCF Connect is one of the first e-commerce website in France for mobilities.
The security of our applications is fundamental for the trust of our clients and partners.
We are happy to offer a way for the security community to help us find and fix vulnerabilities on our applications and we are proud to invite skilled hunters to assist us in identifying vulnerabilities and strengthen our security.
Our bug bounty program is a crucial element of our security strategy.
The main scope of this program is our commercial website and our mobile application's web services.
Thank you for your consideration of our program.
📕Program Rules
The bug bounty program is strictly limited by the scope defined in this program.
SNCF Connect reserves the right to modify the terms of this program or terminate this program at any time.
Out of scope reports will not be accepted.
Following actions are prohibited:
- Disturb, degrade or break access to our services.
- Launch denial of services or any action that can overload our system (like bruteforce)
- Test assets that are not in the scope
- Modify or destroy information (back or front)
- Access, download or modify (or attempt to access, download or modify) data from an account that does not belong to you
- Launch phishing or spear phishing attack against our employees or suppliers
- Engage into physical attack against the datacenters or against SNCF Connect offices
You must not be a former or current employee of SNCF Connect or one of its contractors.
Failure to comply with the preceding rules will result in the rejection of your report.
Please refrain from using automated tools. Limit yourself about 10 requests per second if you do use automated tools.
🚦 Eligibility and Responsible Disclosure
We are happy to reward everyone who submits valid reports which help us improve the security of SNCF Connect.
However, only reports that meet the following eligibility requirements may receive a monetary reward :
- You must be the first reporter of a vulnerability
- The report should include a clear explanation of the impact of the vulnerability's exploitation
- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary
- The vulnerability must be a qualifying vulnerability and must not be a non-qualifying vulnerability (see below)
- Any vulnerability found must be reported exclusively through yeswehack.com
- You must not let the public know about a vulnerability without agreement from SNCF Connect
In case of sensitivie information leak :
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers. This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources (e.g. …)
- Exposed credentials that are not applicable on the program’s scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
- Exposed PII on an out-of-scope asset
Failure to comply with the preceding rules will result in the rejection of your report.
💡Good to note
You are testing on a production environment, this means that you will be booking real tickets and travels, with actual payments and transactions. Nonetheless, if you want to try the whole payment process without being charged, you can take a trip refundable in several months, thus you could easily get your refund after your tests.
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €50 | €500 | €2,000 | €10,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| https://www.sncf-connect.com | web-application | ||
Low Medium High Critical | |||
| https://sncf-connect.com | web-application | ||
Low Medium High Critical | |||
| https//monidentifiant.sncf | web-application | ||
Low Medium High Critical | |||
| https://www.sncf-connect.com/bff | api | ||
Low Medium High Critical | |||
Out of scopes
- Please note sncf-connect.com doesn't own the SNCF.com domains.
- Anything that is not listed as part of the scope, example :
- - https://www.sncf.com/
- - https://tgvinoui.sncf/
- - https://www.sncf-voyageurs.com/
- - https://www.maxjeune-tgvinoui.sncf/
- - https://www.malocationavis.sncf-connect.com/
- The SNCF Connect mobile applications (Android and Apple) are out of scope even if the web services they use are in scope (accessible through paths beginning by 'https://www.sncf-connect.com/bff').
Vulnerability types
Qualifying vulnerabilities
- Access to administration panel
- Access to any client or banking data (Create your own account to test)
- Access to customer account (e.g. logged as someone else) through server attack (not from user side attack) (Create your own account to test)
- Alteration of the buying/payment system
- Any PoC of persistent change to the website content (e.g. defacing)
- Business Logic Errors vulnerability with real security impact
- Cross-Site Scripting (XSS) Stored + Reflected
- Cross-site Request Forgery (CSRF) with real security impact
- Directory traversal
- Insecure Direct Object Reference (IDOR)
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Open Redirect
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Sensitive information found within the scope
Non-qualifying vulnerabilities
- Ability to spam users (email / SMS / direct messages flooding)
- Any hypothetical flaw or best practices without exploitable PoC
- CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
- Click jacking
- Clickjacking/UI redressing
- Content spoofing on login_hint or email attribute on https://monidentifiant.sncf
- Content/Text injections
- Disclosed / misconfigured Google API key (including Google Maps)
- Disclosure of information on partners + CSRF partners links
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- Disclosure of known public files or directories (e.g. robots.txt)
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Known CVEs without working PoC
- Lack of email validation at password reset on https://monidentifiant.sncf
- Lack of rate-limiting, brute-forcing or captcha issues, Denial of Service (DoS) attacks, Timeout
- Missing cookie flags
- Missing security-related HTTP headers which do not lead directly to a vulnerability (CSP, HSTS, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options...)
- Mixed content warnings
- OSINT search
- Open ports without real security impact
- Outdated libraries without a demonstrated security impact
- Password requirements policies (length / complexity / reuse)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
- Physical exploitation
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Recently disclosed 0-day vulnerabilities (less than 60 days since patch release)
- Reflected XSS on https://hiflow.sncf-connect.com/
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Social engineering of staff or contractors
- Subdomain takeover without a full working PoC
- Tabnabbing
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- User enumeration (email, alias, GUID, phone number)
Hunting requirements
Account access
If you already have an existing account, you can log in to the following endpoint https://www.sncf-connect.com/app/account.
A popup window on monidentifiant.sncf will appear and you will be able to finalize your authentication.
Otherwise, you can create an account from the previous URL on https://www.sncf-connect.com/app/account/creation.
You can download the mobile application in Android and Apple Store.
User agent
Please append to your user-agent header the following value: ' ywh-bb-sncf-connect '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
