Kiwai
Caisse d'Epargne Normandie is a regional bank member of the BPCE group, one of the major European Banks.
Reward
Program
Hacktivity
Introduction
Caisse d'Epargne Normandie is a regional bank member of the BPCE group, one of the major European Banks.
As a bank we are very careful with the security of our applications and more with the data of our customers.
Scope
The scopes of this program are listed further below on this program page.
Regarding the hpr and ppr URLS:
https://www.hpr.kiwai-normandie.fr/
https://www.ppr.kiwai-enr.fr/
These are staging platforms but near to the production environment which also is in scope
https://www.kiwai-normandie.fr/
https://www.kiwai-enr.fr/
You will have more options within the preproduction environment, where we can provide test data for you.
So we ask you to please use your YesWeHack email alias(es) to register on the staging platforms. We will then validate your KYC.
If you already registered with your own address on the staging platforms, please contact bugbounty@cen.caisse-epargne.fr and provide your account ID in order to ask the validation of your account.
Money credit on the staging platforms can be done by following this guide : https://docs.mangopay.com/guide/testing-payments
Additional information
Regarding Preproduction:
- Our swagger documentation is available here : https://www.api.hpr.kiwai-normandie.fr/index.html
Some developpement tools are available from the below link - but note that they are out of the scope of this program:
Kiwai application is a crowd-lending platform to finance Green projects in Normandy and soon the world.
Any vulnerability leading to an access of other customer data will be granted with the maximal bounty (Sqli, code execution etc...)
We are happy to thank everyone who submits valid reports which help us improve the security of Kiwai however, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below)
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about 30 requests per second.
- You must not leak, manipulate, or destroy any user data.
- Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay. No vulnerability disclosure, including partial is allowed for the moment.’
Other
This program is not allowed to people working for the BPCE group or any company working on the Kiwai project.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€100 | €200 | €600 | €2,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://www.hpr.kiwai-normandie.fr/ | web-application | ||
Low Medium High Critical | |||
https://www.api.hpr.kiwai-normandie.fr/ | api | ||
Low Medium High Critical | |||
https://www.ppr.kiwai-enr.fr/ | web-application | ||
Low Medium High Critical | |||
https://www.kiwai-enr.fr/ | web-application | ||
Low Medium High Critical | |||
https://www.api.kiwai-normandie.fr | api | ||
Low Medium High Critical | |||
https://www.kiwai-normandie.fr/ | web-application | ||
Low Medium High Critical |
Out of scopes
- Any security issue on Yousign & mangopay not related with Kiwai
Vulnerability types
Qualifying vulnerabilities
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Authentication bypass & broken authentication
- Business Logic Errors vulnerability with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Origin Resource Sharing (CORS) with real security impact
- Cross-site Request Forgery (CSRF) with real security impact
- Open Redirect
Non-qualifying vulnerabilities
- Tabnabbing
- Missing cookie flags
- Content/Text injections
- Mixed content warnings
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Known CVEs without working PoC
- Open ports without real security impact
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Outdated libraries without a demonstrated security impact
- Any hypothetical flaw or best practices without exploitable PoC
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- CSV injection
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full working PoC
- Blind SSRF without direct impact (e.g. DNS pingback)
- Lack of rate-limiting, brute-forcing or captcha issues
- User enumeration (email, alias, GUID, phone number)
- Password requirements policies (length / complexity / reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed / misconfigured Google API key (including Google Maps)
- Recently disclosed 0-day vulnerabilities (less than XX days since patch release)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
Hunting requirements
Account access
Account creation is free and for the staging platforms. Please use your YesWeHack email alias(es) to register on the staging platforms, so we can validate your account.
If you already registered with your own address, please contact bugbounty@cen.caisse-epargne.fr and provide your account ID in order to ask the validation of your account.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.