avatar
Bug bounty
Public

3DS OUTSCALE

Dassault Systèmes S.E. and its affiliates (together “3DS”) enable sustainable economic and social innovation (https://www.3ds.com)

Reward

Bounty
€50
Low
€100
Medium
€500
High
€1,000
Critical
€5,000

Program

Avg reward
-
Max reward
-
Scopes
8

Supported languages
English
French

Hacktivity

Reports
194
1st response
< 5 days
Reports last 24h
-
Reports last week
1
Reports this month
3

TL;DR

3DS OUTSCALE, an IaaS Cloud provider, is looking for any security-oriented feedback. We are exposing all of our client accessible endpoints for your greatest pleasure.

Want to know the target of this bugbounty ? It's simple! The focus is on the Cloud itself, not 3DS OUTSCALE as a company. We want you to find any ways of accessing other people’s resources, or anything impacting their customer experience or the infrastructure itself!

Is that it? Are you enthralled? Are you ready to make your pentesting tools armada let out an enthusiastic roar?

Then read the rest of this page to avoid losing precious time and points by reporting Out of Scope vulnerabilities, and get to know us a bit more at the same time ( including how to create a BugBounty account on our cloud environment. )

Hunter skills that will lead you to success:

  • Web, but you’d better be good as that's the most common skill your fellow hunters share.
    • Be prepared to attack APIs.
  • SecOps, as you'll need an understanding of how the Cloud works.
  • Network Security, as the golden nugget might very well be hidden inside our network.

Changelog

06/09/2019 - New Rewards !
22/06/2020 - Better explaining the focus on the Cloud itself

Introduction

Founded in 2010, strategic partner of Dassault Systèmes and CMSP Advanced certified by Cisco Systems, 3DS OUTSCALE provides enterprise-class Cloud Computing services (IaaS) that meet regulatory and local requirements internally. 3DS OUTSCALE is committed to offer services that combine excellence and reliability, and offers solutions to clients seeking to boost their business agility and rapidly deploy value-enhancing business models. 3DS OUTSCALE counts 800 satisfied clients throughout the world as well as several hundred users working for well-known multinationals via Dassault Systèmes. 3DS OUTSCALE has received ISO security certification 27001-2013 for all its French locations.

3DS OUTSCALE develops its own Cloud orchestrator, TINA OS, with strong security requirements and which provides many additional products around this infrastructure.

3DS OUTSCALE Services Overview

As 3DS OUTSCALE is compatible with AWS EC2, our infrastructure has a similar architecture.

We have public websites (https://outscale.com/) which are not in the scope, and which are not part of our products.

We have several APIs aiming to manage specific resources in the Cloud:

  • You can find the extensive list here: https://wiki.outscale.net/display/DOCU/Regions%2C+Endpoints+and+Availability+Zones+Reference
  • Each endpoint in the eu-west-2 region is in the scope of this bug bounty program.

We also have a web interface, Cockpit, built on top of our APIs, allowing our clients to interactively manage their resources in our Cloud:

  • This IS in the scope of this bug bounty program.

Our documentation can be found at the following locations:

  • https://wiki.outscale.net/
    • Here, you will find all kinds of information on how to use our Cloud.
  • http://docs.outscale.com/api_fcu/index.html
    • This is the API documentation. This is mostly useful when hunting for bugs in the API.

( Those ARE NOT in the scope. )

The points of focus for vulnerability must be on:

  • Confidentiality
  • Integrity
  • Traceability

Availability-focused vulnerabilities are not in the scope (denial of services is not allowed). Only exploitable vulnerabilities are covered.
Data-leaks are not in the scope either. We are not particularly interested in vulnerabilities relating to 3DS OUTSCALE as a company, and want to focus on the Cloud service we provide.
A proof of concept must be provided in the report regarding vulnerabilities.
Customers with Cloud resources are not concerned by this bounty. Snapshots and images provided by 3DS OUTSCALE are not concerned either. Please restrain from accessing customers data !

Keep in mind that this is a production environment: no data alteration is allowed inside 3DS OUTSCALE infrastructure or on 3DS OUTSCALE customers Cloud infrastructure. You must not affect the availability of the platform.

If you have any doubts on whether you can test something or not, or if you want to make sure you are allowed to do something specific, you can send us an e-mail at bugbounty@outscale.com.

Rewards and Process

3DS OUTSCALE will determine, at its discretion, whether a reward should be granted, and the amount of this reward. We may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a competition.

Our Security team will review each committed finding and contact you as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial reply. We ask you to make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services during your research.

In case of problem, you can send an e-mail to bugbounty@outscale.com.
We are able to help you with the cloud itself ( if you need help understanding behaviors ), and are willing to help you move forward when you feel like you found something but fail to exploit it.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Low
€100€500€1,000€5,000

Scopes

ScopeTypeAsset value
https://cockpit-eu-west-2.outscale.com/ web-application
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://fcu.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://lbu.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://osu.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://eim.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://icu.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
https://directlink.eu-west-2.outscale.com api
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000
Any resource created or accessed with the Outscale Cloud, on all regions other
Low
Low
€100
Medium
€500
High
€1,000
Critical
€5,000

Out of scopes

  • Other subdomains on outscale.com (wiki.outscale.net, fr.outscale.com, en.outscale.com... )
  • Social engineering of Outscale employees and contractors
  • Attack against Outscale offices (malware, backdoor, DoS, etc.)
  • Denial of service attacks
  • Vulnerabilities on products or services other than Cockpit or APIs
  • Issues in our DNS and NTP
  • Issues not leading to confidentiality, traceability or integrity problems. You can report it to support@outscale.com.
  • Same behavior as Amazon Web Services
  • E-mail server configuration (DKIM/SPF/DMARC)
  • Dataleaks or 3DS OUTSCALE-related vulnerabilities outside the scope of the IaaS Cloud Service.

Vulnerability types

Qualifying vulnerabilities

  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS) and other injections
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Cross Site Request Forgeries
  • Using Components With Known Vulnerabilities
  • InvaIidated Redirections and Forwardings
  • Firewall Escaping (both inbound or outbound)
  • Virtualization Escaping
  • De-anonymization of resources or accounts

Non-qualifying vulnerabilities

  • TLS Cipher Suites ( **Unless severe problems ( NULL, RC4, DES )** )
  • TLS Security Headers
  • Cross Site Request Forgery (CSRF and XSRF)
  • Self XSS (** Unless stored** )
  • Click-Jacking

Hunting requirements

Account access

The public account creation form does not enables you to automaticaly create an account. Do not use this form ( nor test it's security ... it's Out of Scope )

The only way of creating a cloud account is to contact us at bugbounty@outscale.com. We will acknowledge your request, confirm your YesWeHack account and Email Alias, and proceed to initiate an account creation internally.

Please be aware that this account must only be used for bugbounty, and all spawned resources may be deleted at any time.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.