Swapcard
Swapcard is an event app & matchmaking platform powered by artificial intelligence.
Reward
Program
Hacktivity
Welcome Hunters! 👋🏼
Let us introduce you to Swapcard.
Swapcard is a platform for event organizers to engage their audiences. Connect attendees and boost exhibitors ROI.
Swapcard is working with worldwide events including events on Security, Government event, Health topics, etc.
Swapcard appreciates the effort of software security researchers who work to make the Internet more secure. We are here to reward the work of security researchers who find issues within our web services and apps.
If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email security@swapcard[.]com.
Rules 🚫
We don't have that many rules, we want you to be the most creative as possible, and report us vulnerabilities that will make us 🤯
The only rules are :
- Do not publicly disclose the bug until Swapcard has confirmed the bug is fixed.
- Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
- Do not spam our contact form or support inboxes.
- Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
- Do not attempt to gain access to another user's account or data - please use test accounts.
Reporting ⚠️
All bug reports should include the following information to be considered for a bounty.
- Vulnerable URL(s) and any affected parameters
- Your browser
- Detailed, step-by-step explanation of how to replicate the issue
Screenshots or videos of the vulnerability are highly encouraged and will result in quicker treatment 💪
Change log 🚀
You can find our latest feature release description page here: https://www.notion.so/swapcard/Last-releases-94ded507e7d240ccb25f5474aa78fbbc
New Features' descriptions
Registration
Form Builder
With our form builder, you’ll be able to customize the registration process with the fields of your choice, set what is required, and add as many pages as needed.
Tickets
You’ll be able to make multiple tickets if you choose. Each ticket can have a limited or unlimited quantity. You can also assign a Swapcard group to each ticket type. With this option, you can control the permissions within the Swapcard event from the moment they register.
- Dedicated Ticket URLs: Each ticket now comes with a unique URL.
- Privacy and Exclusivity: Using a dedicated URL ensures that registrants can access only that specific ticket.
- Date and quantity limits: The begin and end dates will still be respected along with the quantity limit (if set).
- Ticket Listing: The main registration URL will continue to list the publicly available tickets.
You can retrieve the custom URL using the new 3-dot menu on the ticket listing or get it directly from the ticket details view.
Managing Registrations
Registrations can be managed cohesively with the current attendees. You’ll be able to add registrations, modify tickets, and even cancel registrations.
MFA
Setting up 2-Step Authentication
Here's a brief overview of how it works:
- Navigate to Your Account Settings: Log in to your account and head over to your account settings.
- Enable 2-Step Authentication: Simply toggle the 2-Step Authentication option to "On" within your account settings.
- Verification Process: Follow the on-screen prompts to complete the setup process.
Note to hunters:
- MFA can be reset using magic link login so reports related to design of MFA recovery flow are non qualifying vulnerabilities.
- Password verification is performed before MFA challenge is presented and any reports related to design mentioning both password and MFA code verification at once are non qualifying vulnerabilities.
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €50 | €400 | €800 | €2,000 | |
| €0 | €300 | €600 | €1,000 | |
| €0 | €100 | €400 | €800 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| api.swapcard.com | api | ||
Low Medium High Critical | |||
| chat-api.swapcard.com/graphql | api | ||
Low Medium High Critical | |||
| developer.swapcard.com/event-admin/graphql | api | ||
Low Medium High Critical | |||
| login.swapcard.com | api | ||
Low Medium High Critical | |||
| studio-api.swapcard.com | api | ||
Low Medium High Critical | |||
| app.swapcard.com | web-application | ||
Low Medium High Critical | |||
| studio.swapcard.com | web-application | ||
Low Medium High Critical | |||
| team.swapcard.com | web-application | ||
Low Medium High Critical | |||
| https://apps.apple.com/fr/app/swapcard/id879488719 | mobile-application-ios | ||
Low Medium High Critical | |||
| https://play.google.com/store/apps/details?id=com.swapcard.apps.android&hl=fr | mobile-application-android | ||
Low Medium High Critical | |||
| img.swapcard.com | api | ||
Low Medium High Critical | |||
| t.swapcard.com | api | ||
Low Medium High Critical | |||
Out of scopes
- By default all the endpoints that are not listed in the allowed scopes are out of scope of the program.
- *dev.swapcard.com
- page.swapcard.com
- blog.swapcard.com (Hubspot)
- aide.swapcard.com (Zoho)
- help.swapcard.com (Zoho)
- books.swapcard.com (Zoho)
- l.swapcard.com
- c.swapcard.com
- sentry.swapcard.com (Except if you notice a miss-configuration)
- survey.swapcard.com
- www.swapcard.com (static corporate website)
Vulnerability types
Qualifying vulnerabilities
- Cross-site scripting (XSS)
- Directory traversal
- Privilege escalation
- SSRF, server-side remote code execution or command injection
- SQL or NoSQL injection
- Access control bypass
- Presence or disclosure of secret access tokens (except in mobile apps)
- Exposed secrets, credentials or sensitive information from an asset under our control
- ...
Non-qualifying vulnerabilities
- Social engineering of Swapcard staff, contractors, or customers
- Reports from automated tools or scans
- Issues related to software or protocols not under Swapcard control
- Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. Please do not conduct brute force attacks.
- Lack of rate-limiting, brute-forcing or captcha issues
- Email lack of rate-limiting
- Ability to spam users (email / SMS / direct messages flooding)
- Missing cookie flags
- Content/Text injections
- Mixed content warnings
- Self-XSS or XSS that cannot be used to impact other users
- Presence of autocomplete attribute on web forms
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Email spoofing
- DNSSEC settings
- Password requirements policies (length / complexity / reuse)
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
- User enumeration (email, alias, UserID, phone number)
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- HTTP Strict Transport Security Header (HSTS)
- Existence of access-controlled administrative pages
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Open redirects (without evidence of strong impacted on the user account) (we are aware that target_url on magic link are bit too permissive)
- Use of a known-vulnerable library (without evidence of exploitability)
- Recently disclosed 0-day vulnerabilities (less than 90 days since patch release)
- Known CVEs without working PoC
- Outdated libraries without a demonstrated security impact
- Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
- Blind SSRF without direct impact (e.g. DNS pingback)
- Vulnerabilities only affecting older browsers
- Clickjacking or UI redressing
- Tabnabbing
- GraphQL introspection feature
- CSV injection
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Hard-coded secrets in our mobile applications (iOS and Android) - we are aware of these issue and are currently fixing them (no sensitive keys are used now)
- Task Hijacking in our Android application
- Disclosed / misconfigured Google API key (including Google Maps)
- Any hypothetical flaw or best practices without exploitable PoC
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- Unstripped Image and document metadata
- Subdomain takeover without a full working PoC
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Insecure direct object references (IDOR) - Temporarily
- Rate-limiting in Registration
- Missing Backup recovery code flow in MFA feature
Hunting requirements
Account access
Feel free to create an account on the platform at studio.swapcard.com. Account is valid for the user app (app.swapcard.com) and the organizer app (studio.swapcard.com)
User agent
Please append to your user-agent header the following value: ' SwapcardYWH/BB '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
