The Accellion enterprise content firewall helps IT executives lock down the exchange of confidential enterprise information with customers, suppliers, and partners by unifying visibility and security across siloed third-party communication channels, including email, file sharing, mobile, web forms, managed file transfer, and SFTP. Thousands of global CIOs and CISOs trust Accellion to give their organizations protection, privacy and peace of mind.
Accellion adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of submissions but reserves the right to downgrade or upgrade ratings based on actual business impact and CVSS score. In the event of a downgrade, Accellion will provide a reasonable justification to the researcher - along with the opportunity to appeal and make a case for a higher priority.
will be recognized as one vulnerability.
Last updated 01 Oct 2020 03:21:57 UTC
Technical severity | Reward range
p1 Critical | $10,000 - $10,000
p2 Severe | $3,000 - $4,000
p3 Moderate | $500 - $1,000
p4 Low | $250 - $250
P5 submissions do not receive any rewards for this program.
Target name | Type | Tags
<https://bugcrowd-pub.bounty.accellion.net/> | Website Testing |
Testing is only authorized on the targets listed as in scope. Any domain/property of Accellion not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Accellion, you can report it here. However, be aware that it is ineligible for rewards or points-based compensation.
be recognized as one vulnerability.
While the Kiteworks application is hardened and requires advanced skills to exploit, there are still avenues to find vulnerabilities on the following focus areas (outlined in this PDF). Vulnerabilities on these focus areas are eligible for rewards of $10,000 for P1s, $4,000 for P2s, $1,000 for P3s and $250 for P4s.
Note that for unauthenticated XSS, it will be treated as a High severity. For authenticated XSS, it will be treated as a Medium severity.
For you have been provisioned two pseudo-random @bugcrowdninja.com emails (for testing access issues between accounts) which, after accepting the program invite, will route all incoming traffic to the email associated with your Bugcrowd account. An invite to the application has been sent to each of these emails in advance, and will be auto-forwarded upon accepting your invitation to the program.
To access the account visit https://bugcrowd-pub.bounty.accellion.net/ and request a password reset using the provided email which should give you access to the target (please check your spam if you don't see the email in your inbox).
- Vulnerabilities that appear due to application misconfiguration by our customers. - Vulnerabilities in older application versions, caused by outdated/unpatched browsers or plugins. - Any security issues in third-party apps or websites that integrate with Accellion or third-party libraries. - Reports submitted by current/ex-employees of Accellion and its partners. - Email spoofing and/or missing DMARC records. - Brute force attacks that cannot be demonstrated or completed in a reasonable amount of time. - Vulnerabilities that require privileged user (e.g. root) access. - Bugs that rely on unlikely or statistically improbable user interaction. - Password and account recovery policies, such as reset link expiration or password complexity. - Clickjacking/UI redressing. - Self XSS - Rate limiting - HTML injection - Race condition - Domain/Sub-domain take over - Internal SSRF from Admin UI - Google, PSPDFKit API Key in mobile app. - Debuggable flags in mobile apps. - Broken Authentication and Session Management findings are possible on this test environment but resolved in production as such, findings in this VRT category will not be eligible for the bounty - EXIF Geolocation Data Not Stripped From Uploaded Images
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
This policy crawled by Onyphe on the 2020-10-08 is sorted as bounty.