Welcome Hunters! 👋🏼

Let us introduce you to Swapcard.

Swapcard is a platform for event organizers to engage their audiences. Connect attendees and boost exhibitors ROI.

Swapcard is working with worldwide events including events on Security, Government event, Health topics, etc.

Swapcard appreciates the effort of software security researchers who work to make the Internet more secure. We are here to reward the work of security researchers who find issues within our web services and apps.

If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email security@swapcard[.]com.

Rules 🚫

We don't have that many rules, we want you to be the most creative as possible, and report us vulnerabilities that will make us 🤯

The only rules are :

Do not publicly disclose the bug until Swapcard has confirmed the bug is fixed.
Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
Do not spam our contact form or support inboxes.
Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
Do not attempt to gain access to another user's account or data - please use test accounts.

Reporting ⚠️

All bug reports should include the following information to be considered for a bounty.

Vulnerable URL(s) and any affected parameters
Your browser
Detailed, step-by-step explanation of how to replicate the issue

Screenshots or videos of the vulnerability are highly encouraged and will result in quicker treatment 💪

Change log 🚀

You can find our latest feature release description page here: https://www.notion.so/swapcard/Last-releases-94ded507e7d240ccb25f5474aa78fbbc

New Features' descriptions

Registration

Form Builder

With our form builder, you’ll be able to customize the registration process with the fields of your choice, set what is required, and add as many pages as needed.

Tickets

You’ll be able to make multiple tickets if you choose. Each ticket can have a limited or unlimited quantity. You can also assign a Swapcard group to each ticket type. With this option, you can control the permissions within the Swapcard event from the moment they register.

Dedicated Ticket URLs: Each ticket now comes with a unique URL.
Privacy and Exclusivity: Using a dedicated URL ensures that registrants can access only that specific ticket.
Date and quantity limits: The begin and end dates will still be respected along with the quantity limit (if set).
Ticket Listing: The main registration URL will continue to list the publicly available tickets.

You can retrieve the custom URL using the new 3-dot menu on the ticket listing or get it directly from the ticket details view.

Managing Registrations

Registrations can be managed cohesively with the current attendees. You’ll be able to add registrations, modify tickets, and even cancel registrations.

MFA

Setting up 2-Step Authentication

Here's a brief overview of how it works:

Navigate to Your Account Settings: Log in to your account and head over to your account settings.
Enable 2-Step Authentication: Simply toggle the 2-Step Authentication option to "On" within your account settings.
Verification Process: Follow the on-screen prompts to complete the setup process.

Note to hunters:

MFA can be reset using magic link login so reports related to design of MFA recovery flow are non qualifying vulnerabilities.
Password verification is performed before MFA challenge is presented and any reports related to design mentioning both password and MFA code verification at once are non qualifying vulnerabilities.
The bounty defined in the grid corresponds to the maximum amount paid per severity. Example: In studio the maximum paid for a Medium severity vulnerability is 400€, the minimum is 50€, which is the maximum paid for a Low vulnerability.
Temporarily out of scope vulnerabilities mean that team is working on those features, therefore we won't be able to accept them until we deploy all changes related.