avatar
Bug bounty
Public

Cryptobox

Ercom is a reference French company with 30 years of combined expertise in two key areas: cybersecurity and communication networks. Ercom is part of the Thales Group.

Reward

Bounty
Hall of fame
€100
Low
€100
Medium
€1,000
High
€3,000
Critical
€5,000

Program

Avg reward
€244.73
Max reward
€1,500
Scopes
3

Supported languages
English
French

Hacktivity

Reports
206
1st response
< 5 days
Reports last 24h
-
Reports last week
1
Reports this month
1

What is Cryptobox?

Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption.

You can securely access your documents from any device, control your data and costs with a scalable architecture and a patented security solution. Cryptobox can be deployed on premises, in the cloud or in a hybrid model depending on customer architecture requirements.

Share, collaborate and exchange end-to-end encrypted documents with colleagues or external partners!

  • Safely exchange data and documents through end-to-end encryption
  • As a workspace owner, maintain control by defining the roles of each member
  • Ensure that each user can access only what they are entitled to see
  • Accessible across multiple devices and browsers

Adds-on Options available:

  • Deposit box
    Each user can create and share a unique, secure ‘deposit box' link, allowing anyone who doesn't necessarily have an account to upload documents directly into Cryptobox with just 1 click.

Website

Security

Cryptobox has been qualified by ANSSI for use at the "restricted" level, and certified at the Common Criteria EAL3+ level.

Ercom is convinced that working with skilled security hunters around the globe is a relevant part of the flow remediation process dedicated to maintain a high security level.

New releases

[Version 4.35]

iOS

  • When the application is launched, the workspace list is systematically displayed as the home page.
 

[Version 4.34]

  • File history
- For each file, users have the option to view and export its activities. The feature also allows retrieving any version of the file and viewing the downloads associated with each version. You can find out more about this new feature from this leaflet
  • Workspace restoration reserved for owners -
From now on, only the owners of a workspace have the ability to restore a previous state of the workspace from the history.
 

[Version 4.33]

Web / Desktop

  • Deposit box -
The user can generate a link to allow someone (without an account) to upload files to Cryptobox. Only the creator of the deposit box can access the files and choose to download them or integrate them into one of their workspaces.

[Version 4.32]

  • Global:
    • Export file activities -
File activities can be exported via the new "Export activities" menu. Activities will only be tracked for files added or modified after the upgrade to version 4.32.
    • Replacing the content of an existing file -
It is now possible to modify a document by directly uploading a new version of it via the "Import new version" menu. Whatever the name of the file uploaded, the name of the existing file in the space is preserved, only its content is modified.

[Version 4.31]

  • Global :
    • Internal links: ability to share with workspace members a link to the current version of a given file or directory
    • Display of a dedicated page during maintenance operations 
  • Android :
    • Deleted workspaces section has been added on Android devices



Rules

What hunters must do

  • All our program rules must be agreed and complied by hunters.
  • All tests shall be done following the processes set by YesWeHack.
  • Ercom provides a dedicated test platform for vulnerability assessment at https://bounty.cryptobox.com. This is the only platform that shall be challenged.
  • Each hunter will get access to 2 accounts, so that hunters can try attacking one of their account from the other.

What hunters must not do

  • Tests not compliant with rules of YesWeHack will not receive any reward, and will be deemed illegal.
  • Hunters must not violate any local, state, national or international law.
  • Hunters must not attack other another accounts than one of theirs.
  • Hunters must not use social engineering attacks.
  • Hunters shall not use more than 1 GB per account.
  • All documents provided to the hunters are currently confidential and shall not be disclosed.
  • Hunters shall not publicly disclose the bug until Ercom has confirmed the bug is fixed. Even then they shall not make exploits publicly available unless required by law or with Ercom’s written permission.

Supported browsers

  • Current versions of Firefox, Chrome and Edge.

Supported apps

Note

Cryptobox is a product that can be deployed either on premise or in the cloud, with one platform being deployed for a given company. It is expected that users of a given Cryptobox platform have access to each other information. This includes the email address, first name, last name and public certificates. In the context of this bug bounty, we deployed one dedicated platform https://bounty.cryptobox.com for all hunters. As a consequence, please be aware that your account information (first name, last name, email) will be visible by all other hunters.

Rewards

Ercom will pay rewards at Ercom’s discretion for a serious and reproducible vulnerability. Submissions will be evaluated in regard to the impact of uncovered vulnerabilities to these assets. Hunters are responsible for any applicable taxes associated with any reward you receive. Any report that results in a change in our code base will be rewarded, at minimum, by a €100 reward. Only the first hunter who find a given vulnerability is eligible to get a reward.

Please note that we may modify the terms of this program or terminate it at any time.

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

  • Exposed credentials in/from an out-of-scope asset/source
  • Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak belongs to MyCompany but is out-of-scope Source of leak does not belong to MyCompany and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible Not Eligible

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Medium
€100€1,000€3,000€5,000

Scopes

ScopeTypeAsset value
https://bounty.cryptobox.com web-application
Medium
Low
€100
Medium
€1,000
High
€3,000
Critical
€5,000
https://play.google.com/store/apps/details?id=com.ercom.cryptobox.release&hl=fr mobile-application-android
Medium
Low
€100
Medium
€1,000
High
€3,000
Critical
€5,000
https://apps.apple.com/fr/app/cryptobox/id972602802 mobile-application-ios
Medium
Low
€100
Medium
€1,000
High
€3,000
Critical
€5,000

Out of scopes

  • Testing any other system than https://bounty.cryptobox.com, in particular *.cryptobox.com or *.ercom.fr.

Vulnerability types

Qualifying vulnerabilities

  • Any attack allowing to access another user password, including by attacking the trustee mecanism for account recovery
  • Any attack allowing to access files/messages stored in a workspace/conversation you are not part of
  • Any attack allowing to bypass user permissions in a workspace (e.g. update documents if you only have reader permission, or add users if you only have member permissions)
  • Any attack allowing you to access a file shared without knowing the sharing key
  • Any attack allowing to alter the file history
  • Any attack allowing to extract the private device keys used in the mobile applications
  • Cross-Site Scripting (XSS)
  • SQL injections
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference (IDOR)
  • Horizontal and vertical privilege escalation
  • Authentication bypass & broken authentication
  • Business Logic Errors vulnerability with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Origin Resource Sharing (CORS) with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Open Redirect
  • Exposed secrets, credentials or sensitive information from an asset under our control

Non-qualifying vulnerabilities

  • Ability for an authenticated user to enumerate user accounts information (email, first name, last name, public certificates) on the same platform
  • Ability for an un-authenticated user to test if an account exists on the server
  • Ability for members with the viewer role to extract files using the browser
  • Ability for users to share malicious files with other users (Cryptobox being an end-to-end encrypted file sharing service, the server cannot have access to shared payload or even file extensions. We have an optional feature based on a specific client integration though, but it is not enabled on the platform dedicated for the bug bounty)
  • Denial of Service vulnerabilities, lack of rate limiting, brute force attacks
  • Client applications remains connected without time limit
  • Tabnabbing
  • Known CVEs without working PoC
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Outdated libraries without a demonstrated security impact
  • Any hypothetical flaw or non followed best practice without exploitable PoC
  • Reports with attack scenarios requiring physical access to victim's device
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions
  • Password requirements policies (length / complexity / reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Recently disclosed 0-day vulnerabilities (less than 30 days since patch release)

Hunting requirements

Account access

You can register using your YesWeHack email alias(@yeswehack.ninja) on the dedicated platform https://bounty.cryptobox.com.

To find your email aliases, go to https://yeswehack.com/user/tools/email-alias

Please note that as documented in the program description, the name and email address you provide during registration will be visible from other hunters.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.