Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
22/03/2018
SAP Concur logo
Thanks
Gift
Hall of Fame
Reward

SAP Concur

Headers (New!)

Please include the following headers in all server requests. This will not affect our response to your activity, but allows us to track breadth of community research to ensure that all of our applications are being tested regularly.

Required
X-Request-Purpose: Research

Optional
X-Bugcrowd-Ninja: [username]

Overview

Concur Technologies is committed to making travel and expense management easy and secure. As part of our promise to protect customer data and privacy, we strongly encourage prompt responsible disclosure of vulnerabilities you may find while using our products and welcome your reports.

When submitting, please keep the following in mind:

  • Please provide clear and reproducible steps that demonstrate that the vulnerability exists, is persistent, and can be exploited. Your written description should be easily understood in English, and attaching a proof-of-exploitability video is even more helpful.
  • Vulnerability reports which do not include careful manual validation—for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability—will be closed as Not Applicable.

This program covers all Concur-owned applications, services, and properties, including any browser UI , web service , or mobile app for each product. Please be sure to check domain records to confirm Concur ownership; avoid testing of assets not owned and controlled by Concur.

Some examples include:

  • Concur Travel, Expense, and Invoice solutions (.concur.com and .concursolutions.com)
  • TMC Solutions (see a list of included products)
  • TripIt (*.tripit.com)
  • Hipmunk (*.hipmunk.com)
  • ConcurGov
  • Ulysse

Program Rules:

Public disclosure is prohibited without the express prior written consent of Concur.

  • Carefully comply with applicable laws regarding unauthorized system access and tampering by only performing research under this responsible disclosure program. Proof of exploitability must stop short of actual exploitation.
  • Never intentionally access, modify, destroy, or make unavailable Concur user data or Concur itself in the process of discovery. This includes execution of Denial of Service exploits.
  • Immediately notify Concur Security if any user data other than your own is unintentionally accessed.
  • Never leak or publicly disclose any Concur user data, including your own.
  • Never defraud Concur users or the Concur platform itself in the process of discovery or using data discovered through your research.
  • You further agree that you will comply with end-user agreements and will never perform security research on your own company’s Concur instance. You may either sign up for trial organization or contact us for access to a sandbox organization.
  • Concur Mobile binaries should be obtained through official channels for iOS and Android platforms. While Concur does not encourage rooting/jailbreaking of mobile devices, we understand that this technique may be necessary for extracting and validating the Concur Mobile app. Accessing Concur Mobile binaries by rooting or jailbreaking your device is permitted only with test accounts in the context of security research through this program; circumventing platform protections in order to access production accounts, including those for companies you may belong to, is strictly prohibited.

Ratings:

On a general level, this program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Exclusions:

  • Email spoofing due to missing or misconfigured DMARC will be considered a P5

This program only awards points for VRT based submissions.

Targets

In scope

Target name | Type
---|---
All services officially provided by Concur are in scope and eligible for the responsible disclosure program, including mobile applications. | Other
Tripit Web Application: https://www.tripit.com | Website
https://m.tripit.com/ | Website
Tripit Teams: https://www.tripit.com/teams/ | Website
Tripit Mobile Web Services/Public web services used by the Tripit Mobile applications: https://api.tripit.com/ | API
Tripit Mobile Application: Android | Android
Tripit Mobile Application: iOS | iOS

Out of scope

Target name | Type
---|---
Sites and companies not owned by, maintained by, or under the control of Concur | Other
www.tmcservices.net | Website
tmcservices.co.in | Website
forum.developer.concur.com | Website
www.concurinc.com | Website
help.expenseit.com | Website
concurmobile.freshdesk.com | Website
<http://store.hipmunk.com> | Website
sentry.hipmunk.com | Website
media.hipmunk.com | Website


On Credentials

  • Individual and "test drive" accounts can be self-provisioned in many of our applications, including Concur, TripIt, and Hipmunk.
  • Pro or Premium accounts will not be provided, but a free trial account can be created for testing purposes and cancelled before the end of the trial.

About Concur

Concur, an SAP company, imagines the way the world should work, offering cloud-based services that make it simple to manage travel and expenses. By connecting data, applications, and people, Concur delivers an effortless experience and total transparency into spending wherever and whenever it happens. Concur services adapt to individual employee preferences and scale to meet the needs of companies from small to large, so they can focus on what matters most.
Learn more at www.concur.com or the Concur blog.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

Tripit Mobile Application: Android

ios_application

Tripit Mobile Application: iOS

other

All services officially provided by Concur are in scope and eligible for the responsible disclosure program, including mobile applications.

web_application

Tripit Web Application: https://www.tripit.com

web_application

Tripit Teams: https://www.tripit.com/teams/

web_application

https://m.tripit.com/

web_application

Tripit Mobile Web Services/Public web services used by the Tripit Mobile applications: https://api.tripit.com/

Out of Scope

Scope Type Scope Name
other

Sites and companies not owned by, maintained by, or under the control of Concur

web_application

www.tmcservices.net

web_application

tmcservices.co.in

web_application

forum.developer.concur.com

web_application

www.concurinc.com

web_application

help.expenseit.com

web_application

concurmobile.freshdesk.com

web_application

http://store.hipmunk.com

web_application

sentry.hipmunk.com

web_application

media.hipmunk.com


This program have been found on Bugcrowd on 2018-03-22.

FireBounty © 2015-2019

Legal notices