Kiwai

Introduction

Caisse d'Epargne Normandie is a regional bank member of the BPCE group, one of the major European Banks.
As a bank we are very careful with the security of our applications and more with the data of our customers.

Scope

The scopes of this program are listed further below on this program page.

Regarding the hpr and ppr URLS:

https://www.hpr.kiwai-normandie.fr/
https://www.ppr.kiwai-enr.fr/

These are staging platforms but near to the production environment which also is in scope

https://www.kiwai-normandie.fr/
https://www.kiwai-enr.fr/

You will have more options within the preproduction environment, where we can provide test data for you.

So we ask you to please use your YesWeHack email alias(es) to register on the staging platforms. We will then validate your KYC.

If you already registered with your own address on the staging platforms, please contact bugbounty@cen.caisse-epargne.fr and provide your account ID in order to ask the validation of your account.

Money credit on the staging platforms can be done by following this guide : https://docs.mangopay.com/guide/testing-payments

Additional information

Regarding Preproduction:

Our swagger documentation is available here : https://www.api.hpr.kiwai-normandie.fr/index.html

Some developpement tools are available from the below link - but note that they are out of the scope of this program:

https://www.api.hpr.kiwai-normandie.fr/elmah

Kiwai application is a crowd-lending platform to finance Green projects in Normandy and soon the world.

Any vulnerability leading to an access of other customer data will be granted with the maximal bounty (Sqli, code execution etc...)

We are happy to thank everyone who submits valid reports which help us improve the security of Kiwai however, only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below)
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about 30 requests per second.
You must not leak, manipulate, or destroy any user data.
Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay. No vulnerability disclosure, including partial is allowed for the moment.’

Other

This program is not allowed to people working for the BPCE group or any company working on the Kiwai project.

In Scope

Scope Type	Scope Name
api	https://www.api.hpr.kiwai-normandie.fr/
api	https://www.api.kiwai-normandie.fr
web_application	https://www.hpr.kiwai-normandie.fr/
web_application	https://www.ppr.kiwai-enr.fr/
web_application	https://www.kiwai-enr.fr/
web_application	https://www.kiwai-normandie.fr/

Out of Scope

Scope Type	Scope Name
undefined	Any security issue on Yousign & mangopay not related with Kiwai

Firebounty have crawled on 2022-08-29 the program Kiwai on the platform Yeswehack.