Mendix looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Maintaining the security of our applications and networks is a high priority for Mendix. If you have information related to security vulnerabilities of Mendix products and services, please submit a report in accordance with the guidelines below.

The vulnerabilities identified in the HackerOne reports will be classified using CVSSv3 (https://www.first.org/cvss/specification-document).

• Please ensure you sign up using your wearehackerone domain and for testing to avoid us blocking you.

• Do not try to further pivot into the network by using a vulnerability. The rules around Remote Code Execution (RCE), SQL Injection (SQLi), and FileUpload vulnerabilities are listed below.

• Do not try to exploit service providers we use, prohibited actions include, but are not limited to bruteforcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others. The Firm does not authorize you to perform any actions to a non-Mendix owned property/system/service/data.

• If you encounter Personally Identifiable Information (PII) contact us at security@mendix.com immediately. Do not proceed with access and immediately purge any local information, if applicable.

• Please limit any automated scanning to 60 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.

Response Targets

Mendix will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Mendix will not be publicly disclosing reports at this time. If and when Mendix does disclose a report, it will be mutually agreed upon with the hacker.

Mendix reserves the right to deny any request for public disclosure.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Please note: Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Legal

• You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

• You agree that You shall not, without the prior written consent of Mendix in each instance (i) use in advertising, publicity or otherwise the name of Mendix or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Mendix or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Mendix or its Affiliates.

• You agree that any and all information acquired or accessed by You as part of this exercise is strictly confidential to Mendix and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.

• You acknowledge and agree that any and all information you encounter is owned by Mendix or its third party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.

• Mendix may modify the terms of this policy or terminate the policy at any time.

• By clicking Submit Report, you consent to Your Information being transferred to and stored in the United States and acknowledge that you have read and accepted the Terms, Privacy Policy and Disclosure Guidelines presented to you when you created your account.

• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.

• Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.

Remote Code Execution (RCE) Policy

Vulnerabilities which allow execution of code on the application server or shell command on the server itself should be run in accordance to this policy.

Prohibited actions when conducting RCE attempts:

• Altering or uploading files on the web server. (In case of file-upload functionality upload of webshells is prohibited, try uploading echo, info or any variable/info-based invocation code)

• Altering file permissions

• Reading sensitive files on the system (e.g /etc/shadow) and/or snooping through the file/folder structure (Same applies to XXE, LFI and Path Traversal, or any other vulnerability which allows you to read underlying file/folder structure)

• Altering/Modifying/Deleting any files on the system.

• Copying any files from the system and disclosing them to a non Mendix site or entity

• Interacting with underlying OS-level data and/or databases.

• Interacting with other services running on the OS-level and/or any remote hosts residing on the network.

• Interrupting the normal operation of the server.

• Any type of establishment for persistent connection mechanisms (netcat, ssh reverse tunnel, etc) are prohibited.

• Allowed actions when conducting RCE attempts - Unix:

• Executing 'ifconfig', 'hostname', 'whoami', 'uptime', 'top' or any metrics commands

• Reading content of the '/etc/passwd' file

• Using 'echo' to pipe characters into a file located in the "/tmp/", reading the file and then removing it right after confirmation.

• Allowed actions when conducting RCE attempts - Windows:

• Executing 'ipconfig', 'hostname', 'whoami' or any metrics commands

• Reading content of the 'drive:/boot.ini', 'drive:/install.ini' or 'drive:/Windows/System32/drivers/etc/networks'

• Using 'echo' to pipe characters into a file located in the drive:/temp, reading the file (type) and then removing it right after confirmation.

SQL Injection (SQLi) Policy

Vulnerabilities which allow injection of attacker controlled parts of the SQL query should be run in accordance to this policy.

Prohibited actions when conducting SQLi attempts:

• Reading sensitive files on the system (e.g /etc/shadow) and/or snooping through the file/folder structure (SELECT LOAD_FILE)

• Reading specific sensitive database records

• Creating/Altering/Modifying/Deleting any files/records on the system/database. This includes use of INTO OUTFILE

• Command Execution (xp_cmdshell, uploading .so or any action that leads to command execution)

• Creating/Deleting Users

• Reading/Altering Username and Password information (includes password hashes)

• Interrupting the normal operation of the server and the database.

• Allowed actions when conducting SQLi attempts:

• Executing SELECT queries such as "@@version", "user();" "system_user();", "database();", "@@hostname"

• Listing Databases names from schema, listing Columns, Table names

• Executing Mathematical, conversion or logical queries, such as:

• ASCII Value -> Char (SELECT char(65); # returns A)

Char -> ASCII Value (SELECT ascii(‘A’); # returns 65)

String Concatenation (SELECT CONCAT(‘A’,'B’,'C’); # returns ABC)

Case Statement (SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A)

SELECT 0×414243; # returns ABC

Time Delay (SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); )

• Using Logic and time in Server Responses

• Using output responses

File-Upload Policy

Vulnerabilities which allow upload of files through any means (f.g PUT HTTP Method, File-upload functionality/module., etc.) are subjected to these rules

Prohibited actions when conducting File-upload attempts:

• Altering/Modifying/Deleting/Replacing any files on the system. (f.g. defacement)

• Uploading files to the account of a user which is not owned by you and you are not authorized by (does not apply to system users or web users like www-data f.g)

• Uploading files which deliberately introduce additional exploitation vectors (f.g html code with cross-site scripting code on it etc.)

• Uploading files which can cause Denial of Service (f.g. over-sized files or unlimited amount of files resulting in running out of Disk Quota)

• Allowed actions when conducting File-upload attempts:

• Chained exploitation vectors allowing you to jump out from the upload folder using f.g. path traversal or path manipulation that do not violate prohibited actions mentioned in File-Upload Policy.

• Upload of a file (any extension) with no content, simple string, integer or a special character.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Reports from automated tools or scans

• Reports affecting outdated browsers

• Denial of Service or brute force attacks

• Issues without clearly identified security impact (such as clickjacking on a static website) or

speculative theoretical exploitability

• Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection,

lack of security headers, missing flags on cookies, descriptive errors, server/technology

disclosure - without clear and working exploit)

• Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard

presence/misconfigurations in these.

• Use of known-vulnerable libraries or frameworks - for example, an outdated JQuery or

AngularJS (without clear and working exploit)

• Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)

• Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used

to attack another user

• Lack of HTTPS

• Reports about insecure SSL / TLS configuration

• Password complexity requirements, account/email enumeration, or any report that discusses

how you can learn whether a given username or email address has a Mendix-related account

• Presence/Lack of autocomplete attribute on web forms/password managers.

• Server Banner Disclosure/Technology used Disclosure

• CSRF on logout or insignificant functionalities

• Publicly accessible login panels

• Clickjacking

• CSS Injection attacks. (Unless it gives you the ability to read anti-CSRF tokens or other sensitive

information)

• Tabnabbing

• Host Header Injection (Unless it gives you access to interim proxies)

• Cache Poisoning

• Reflective File Download

• Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom

Origin header that does not specifically show a valid attack scenario

• PRSSI - Path-relative stylesheet import vulnerabilities (without an impactful exploitation

scenario - for example stealing CSRF-tokens)

• OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server

which do not specifically show a valid attack scenario

• Cookie scoped to parent domain or anything related to the path misconfiguration and

improperly scoped

• Open ports which do not lead directly to a vulnerability unless it is an unsecure port

• Our policies on presence/absence of SPF / DKIM / DMARC records

• Lack of DNS CAA and DNS-related configurations

• Social engineering of Mendix employees or contractors

• Any physical/wireless attempt against Mendix property or data centers

• Open redirects

• Wp-admin related issues

Out of scope endpoints

cool-accp.mendix.com

cool.mendix.com

compass-cbc-accp.mendix.com

compass-cbc.mendix.com

maat-accp.mendix.com

maat.mendix.com

oscar-accp.mendix.com

oscar.mendix.com

dhb-abco2-accp.mendix.com

dhb-abco2.mendix.com

mijndsi-test.mendix.com

mijndsi.mendix.com

create-it-accp.mendix.com

create-it.mendix.com

angelaweb-accp.mendix.com

angelaweb.mendix.com

freedomfood-test.mendix.com

freedomfood.mendix.com

dnb-cdp-accp.mendix.com

dnb-cdp.mendix.com

drs.dnb.com

mrpayout-test.mendix.com

mrpayout.mendix.com

i2-dhbtt-accp.mendix.com

i2-dhbtt.mendix.com

compass-klachtafhandeling.mendix.com

brokerportal.mendix.com

www.lvbroker.co.uk

nza-zorgfraude-accp.mendix.com

nza-zorgfraude.mendix.com

compass-osf-accp.mendix.com

postnl-integrator-accp.mendix.com

postnl-integrator.mendix.com

shell-accp.mendix.com

shell.mendix.com

yahoodecisionmaker.mendix.com

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Mendix and our users safe!