9575 policies in database
Link to program      
Accellion Kiteworks Public Program logo


250 $ 

Accellion Kiteworks Public Program

Accellion provides the leading secure content platform that increases enterprise productivity and ensures data security and compliance. We offer enterprise organizations the scalability, flexibility, control, and security to enable a mobile workforce with the tools they need to create, access and share information securely, whenever and wherever work takes them.

Submission Rating:

Accellion adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of submissions but reserves the right to downgrade or upgrade ratings based on actual business impact and CVSS score. In the event of a downgrade, Accellion will provide a reasonable justification to the researcher - along with the opportunity to appeal and make a case for a higher priority.

Please note: Multiple vulnerabilities caused by one underlying issue

will be recognized as one vulnerability.

Reward range

Last updated 01 Oct 2020 03:21:57 UTC

Technical severity | Reward range
p1 Critical | $10,000 - $10,000
p2 Severe | $3,000 - $4,000
p3 Moderate | $500 - $1,000
p4 Low | $250 - $250

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type | Tags
<https://bugcrowd-pub.bounty.accellion.net/> | Website Testing |

  • Website Testing
  • Vue.js
  • nginx

Testing is only authorized on the targets listed as in scope. Any domain/property of Accellion not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Accellion, you can report it here. However, be aware that it is ineligible for rewards or points-based compensation.

Please note: Multiple vulnerabilities caused by one underlying issue will

be recognized as one vulnerability.

Focus Areas:

While Kitework's interface may look limited in functionality, they believe there are still avenues to find vulnerabilities on the following focus areas (outlined in this PDF). Vulnerabilities on these focus areas are eligible for rewards of $10,000 for P1s, $4,000 for P2s, $1,000 for P3s and $250 for P4s.

  • Unauthorized Access to Messages, Files and Folders
  • Uploading/Downloading endpoints
  • Incorrect Permissions
  • Bypassing Folder Roles Access Control
  • Previewer/Viewer
  • Injection attacks (SQL injections, XSS)
  • Availability Attacks (Non Distributed DOS)
  • User REST endpoints
  • Code Execution

Note that for unauthenticated XSS, it will be treated as a High severity. For authenticated XSS, it will be treated as a Medium severity.


For you have been provisioned two pseudo-random @bugcrowdninja.com emails (for testing access issues between accounts) which, after accepting the program invite, will route all incoming traffic to the email associated with your Bugcrowd account. An invite to the application has been sent to each of these emails in advance, and will be auto-forwarded upon accepting your invitation to the program.

To access the account visit https://bugcrowd-pub.bounty.accellion.net/ and request a password reset using the provided email which should give you access to the target (please check your spam if you don't see the email in your inbox).


- Vulnerabilities that appear due to application misconfiguration by our customers.
- Vulnerabilities in older application versions, caused by outdated/unpatched browsers or plugins.
- Any security issues in third-party apps or websites that integrate with Accellion or third-party libraries.
- Reports submitted by current/ex-employees of Accellion and its partners.
- Email spoofing and/or missing DMARC records.
- Brute force attacks that cannot be demonstrated or completed in a reasonable amount of time.
- Vulnerabilities that require privileged user (e.g. root) access.
- Bugs that rely on unlikely or statistically improbable user interaction.
- Password and account recovery policies, such as reset link expiration or password complexity.
- Clickjacking/UI redressing.
- Self XSS
- Rate limiting
- HMTL injection
- Race condition
- Domain/Sub-domain take over
- Internal SSRF from Admin UI
- Google, PSPDFKit API Key in mobile app.
- Debuggable flags in mobile apps.
- Broken Authentication and Session Management findings are possible on this test environment but resolved in production as such, findings in this VRT category will not be eligible for the bounty
- EXIF Geolocation Data Not Stripped From Uploaded Images

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name


This policy crawled by Onyphe on the 2020-10-08 is sorted as bounty.

FireBounty © 2015-2020

Legal notices