Reward
Program
Hacktivity
Company
Open-Xchange is a leading provider of communication, security and productivity platforms. We are committed to a borderless Internet that is open, safe and free, allowing users to protect their own data and privacy. To achieve this goal, we build open-source software, which is the sole scope of this bounty program. PowerDNS is our DNS server that enables domain resolution and network security features, and is part of many operating systems.
Since our interfaces and source code are both publicly documented and exposed, we rely on strong authentication, crypto implementations and do not support the concept of security by obscurity. At the same time, we're delivering our software in a way that it comes with secure defaults. For this program you need to install our software on your premises for research.
We also run bug-bounty programs for our other products:
Program Rules
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
- If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
- Any type of denial of service attacks is strictly forbidden, as well as any interference with our infrastructure.
- You can set up a lab environment for your own research based on public software packages, containers and source-code. However, we will not accept reports which are specific to your lab's configuration and cannot be reproduced on our deployments.
Moreover you must avoid :
- Tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
- Editing our public wiki on GitHub.
- Uploading, sending or injecting malware to Open-Xchange and contractors
- Using data acquired by compromising customer or employee accounts
Vulnerabilities which have already been reported to us (including reports received outside YesWeHack, for example from -customers or penetration tests) are considered as "Duplicate" in case they describe a similar attack type, regardless of which component is affected.
The triage team will use the "One Fix One Reward" process: if two or more endpoints use the same code base and a single fix can be deployed to fix all the others weaknesses, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. We reward based on vulnerability, not per endpoint.
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program scope and identified outside of our program scope, such as:
- Exposed credentials in/from an out-of-scope asset/source
- Sensitive information exposed in/from an out-of-scope asset/source
- Credentials provided on purpose, for example access to a Sandbox installation
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees.
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program scope
- Exposed PII on an out-of-scope asset
Source of leak is in-scope | Source of leak belongs to Open-Xchange but is out-of-scope | Source of leak does not belong to Open-Xchange and is out-of-scope | |
---|---|---|---|
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not Eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not Eligible | Not Eligible |
Important precautions and limitations
As a complement to the program rules and testing policy :
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they will not be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.
Eligibility
We are happy to thank everyone who submits valid reports which help us improve the security of PowerDNS, however, only those that meet the following eligibility requirements may receive a monetary reward.
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below)
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots as necessary. PoC exploit code is highly appreciated.
- You must not be a former or current employee of Open-Xchange or one of its contractors.
- Reports about vulnerabilities are examined by our security analysts.
- Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
- When reviewing source-code, the "main" or "master" branches represent the current versions. Only reports for those branches will be eligible for bounty, if there is a master and main branch, the main branch takes precedence.
- For packages the last two released minor versions are eligible for bounty.
We are interested in security issues in the following products:
- PowerDNS Authoritative Server
- PowerDNS Recursive Server
- dnsdist
Software packages
You can use on-premise installations of our software free of charge and have a look at its inner workings. We expect that you're using up-to-date versions of our software and related services, hardened configurations as well as a set of strong credentials.
You can download pre-compiled software-packages from our repository:
Learn more from overviews and guides at https://oxpedia.org/ and technical documentation is provided at https://doc.powerdns.com/.
Source-code
Source-code can be obtained from GitHub:
The "master" branch represents the latest stable release.
Mind that each component has various integration points, APIs and subcomponents that are in scope. Please refer to our documentation to learn more.
Rating and Responsible Disclosure
We use CWE, CVE, CVSS to rate and categorize vulnerabilities. Any vulnerability will be publicly disclosed after sufficient time has passed for operators to deploy updates. Advisories use CSAF and will be published on our update sites, mailing-lists and external mailing-lists like oss-security. Please understand that we handle the full disclosure process and expect that you do not disclose any findings yourself, we will include researcher credits if requested.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€100 | €500 | €2,000 | €8,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
PowerDNS authoritative server, recursor and DNSdist (see "Software packages" and "Source-code") | other | ||
Low Medium High Critical |
Out of scopes
- All content which is not listed as "Scopes", especially any production system operated by customers
- "Scopes" in this program refer to the binary packages and source-code provided there, the systems providing those artefacts are out of scope
- Everything that is not directly related to the application or source-code in scope (e.g. GitHub, domain settings)
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Buffer overflows, underflows
- Crashes that hint security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Code injections (HTML, JS, SQL, ...)
- Broken authentication & session management
- Insecure direct object references
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Cross-Site Scripting (XSS)
- Cross-Site Requests Forgery (CSRF) with real security impact
- Open redirect
- Clickjacking/UI redressing
- Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Non-qualifying vulnerabilities
- Software version disclosure
- Stack traces or path disclosure
- Physical or social engineering attempts
- Recently disclosed 0-day vulnerabilities
- Vulnerabilities affecting outdated platforms
- Reports for outdated versions of our software (more than two minor versions old)
- Findings that do not have considerable impact on availability, confidentiality and integrity
- Reports from automated vulnerability scanners (Acunetix, Vega, Burp, Nessus, etc.) that have not been validated
- Spamming, harassment or any other kind of unauthorized communication
- Legacy and unsupported versions
- Any physical attempts against our employees, property or datacenters
- Purposely weakening the default configuration of our components, vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access
- Vulnerabilities of third-part components, websites or DNS configuration
- "Jailbroken" devices may be used to ease research, flaws that require a device to be jailbroken are not in scope, however
- Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program scope
Hunting requirements
Account access
No accounts required, please deploy the software and start hunting!
User agent
Please append to your user-agent header the following value: ' -ywh-bugbounty-powerdns '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.