Bug Bounty program

Responsible Disclosure

Security of user data is of utmost importance to Vtiger. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Vtiger. Principles of responsible disclosure include, but are not limited to:

  • Accessing or exposing only customer data that is your own.
  • Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).
  • Keeping within the guidelines of our Terms Of Service.
  • Keeping details of vulnerabilities secret until Vtiger has been notified and had a reasonable amount of time to fix the vulnerability.
  • In order to be eligible for a bounty, your submission must be accepted as valid by Vtiger. We use the following guidelines to determine the validity of requests and the reward compensation offered.

Reproducibility

  1. Our engineers must be able to reproduce the security flaw from your report. 
  2. Reports that are too vague or unclear are not eligible for a reward. 
  3. Reports that include clearly written explanations and working code are more likely to garner rewards.
  4. Attach a detailed proof of concept (POC) while reporting the vulnerability to Vtiger.

Severity

More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with *.od1.vtiger.com and *.od2.vtiger.com. Other subdomains of vtiger are generally not eligible for rewards unless the reported vulnerability somehow affects *.od1.vtiger.com or Vtiger customer data.

Focus Areas

  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Sensitive data exposure
  • Cross-site request forgery (CSRF)
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Excluded list from the bounty

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g., robots.txt).
  • Clickjacking and issues only exploitable through clickjacking, unless accompanied by a real-world attack scenario and meaningful impact.
  • CSRF on forms that are available to anonymous users (e.g., the contact form), unless accompanied by a real-world attack scenario and meaningful impact.
  • Logout Cross-Site Request Forgery.
  • Perceived excessive volumes of sent email (e.g., mail flooding).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Reverse tabnabbing
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content messages
  • Username / email enumeration
  • Missing HTTP security headers
  • SSL Issues
  • Low impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DMARC records
  • Social engineering
  • Denial of Service vulnerabilities (DOS)
  • Rate limiting issues
  • Spamming
  • Open redirects - unless they can be used for actively stealing tokens
  • Best practice concerns without a demonstration of practical exploitability
  • Reports stating software is out of date or vulnerable without a proof of concept
  • HTML injection
  • Reflected XSS, DOM based XSS and Self XSS

Rewards

  • Only 1 bounty will be awarded per vulnerability.
  • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. This is a discretionary program and Vtiger reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.

Domains/Products in scope

  • *.od1.vtiger.com
  • *.od2.vtiger.com
  • Vtiger Cloud Products

Domains/Products excluded from the bounty

  • vtiger.com
  • blog.vtiger.com
  • code.vtiger.com
  • discussions.vtiger.com
  • demo.vtiger.com
  • Vtiger OpenSource (All versions)

Contact

Please email us at [email protected] with any vulnerability reports or questions about the program.