To submit a vulnerability report, you need to login with your hunter account.
Easyship Public Bug Bounty Program
Easyship is a shipping platform for ecommerce merchants
Reward
Program
Avg reward -
Max reward -
Scopes6
Supported languagesEnglish
Hacktivity
Reports90
1st response < 1 day
Reports last 24h90
Reports last week90
Reports this month90
Program description
Program activity
Easyship
Easyship is an end-to-end logistics platform, built to enable hyper-local to cross-border eCommerce, while removing barriers to entry, like inefficient systems and prohibitive costs for SMEs. As a user-centric product, Easyship has helped to simplify the complex world of logistics for more than 40,000 clients worldwide, making it more accessible for eCommerce SMBs and startups to grow.
The goal of these programs is to assist us in improving our users' security which is one of our top priorities.
Please note that reward will depend on real business impacts, not only the CVSS scoring. For example, a SSRF will not be scored Critical unless you're able to demonstrate a critical business impact (please do coordinate with us).
Here are a few examples of business impacts:
- Massive dumping / leak of PII of customer data
- Ability to bypass cart, voucher, checkout, promotion rules to gain price advantage.
- Ability to bypass business logic in order management, cancellation and returns that leads to financial losses to EasyShip (without the use of social engineering)
- Complete an "Unpaid Order" successfully without making any payment
- RCE on production infrastructure (not in a sandbox/staging)
- At scale fraud
Bypassing access to premium features has low business impact for us and will be treated as a non-qualifying vulnerability.
Reminder
- Please ONLY use your YesWeHack email aliases to create accounts (aliases for your account are in "MY YES WE HACK" menu). Other email addresses will not be accepted.
Should you require more alias contact: support@yeswehack.com
Program Rules
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
- If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
- Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and pulse infrastructure.
- You must not attempt to gain access to, or interact with, any users other than those created by you
- You must not have compromised the privacy of our users
- You must not schedule meetings as part of testing activities. Scheduling meetings can block time that is otherwise reserved for genuine customers, causing disruptions to business operations.
- We will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the other weaknesses, only one endpoint will be considered eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of EasyShip however, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below)
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about 10 requests per second).
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of EasyShip or one of its contractor.
- Vulnerability disclosure, even partial is NOT allowed.
Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
Known issues
- Email verification bypass on signup
- Vertical Privilege Escalation on the team management (IDOR within the same company)
- Broken Link Hijacking
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| $25 | $200 | $1,000 | $2,500 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
https://www.easyship.com | Web application | ||
Low Medium High Critical | |||
https://supership.easyship.com | Web application | ||
Low Medium High Critical | |||
https://trackmyshipment.co | Web application | ||
Low Medium High Critical | |||
https://collect.easyship.com/ | Web application | ||
Low Medium High Critical | |||
https://claims.easyship.com/ | Web application | ||
Low Medium High Critical | |||
https://auth.easyship.com | Web application | ||
Low Medium High Critical | |||
Out of scopes
- Anything not listed in the scope.
- app.easyship.com
- api.easyship.com
Vulnerability types
Qualifying vulnerabilities
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Authentication bypass & broken authentication
- Business Logic Errors vulnerability with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Origin Resource Sharing (CORS) with real security impact
- Cross-site Request Forgery (CSRF) with real security impact
- Open Redirect
- Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Non-qualifying vulnerabilities
- Broken Link/Social media Hijacking
- Tabnabbing
- Missing cookie flags
- Content/Text injections
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Recently disclosed CVEs (less than 30 days sinces patch release)
- CVEs without exploitable vulnerabilities and PoC
- Open ports or services without exploitable vulnerabilities and PoC
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
- SSL/TLS issues (e.g. expired certificates, best practices)
- Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
- Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
- Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
- Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
- Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
- CSV injection
- Malicious file upload (e.g. EICAR files, .EXE)
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
- Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
- Lack or bypass of rate-limiting, brute-forcing or captcha issues
- User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
- Weak password policies (e.g. length, complexity, reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
- Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
- Pre-account takeover (e.g. account creation via oAuth)
- GraphQL Introspection is enabled
- Email verification bypass on signup
- Vertical Privilege Escalation on the team management (IDOR within the same company)
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:
Type of leak
Source of leak is in-scope
Source of leak belongs to the Organization and is out-of-scope
Source of leak does not belong to the Organization and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset)
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset)
Hunting requirements
Account access
Please ONLY use your YesWeHack email aliases (@yeswehack.ninja) to create accounts (aliases for your account are in "MY YES WE HACK" menu). The bug you found will not qualify for the bounty if you create an account using an email other than your Yewehack alias (@yeswehack.ninja).
Should you require more alias contact: support@yeswehack.com
Note that no accounts will be provided for supership.easyship.com
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.