Banner object (1)

Hack and Take the Cash !

626 bounties in database
29/05/2018

Keeper Security Vulnerability Disclosure Program

Keeper Security is transforming the way businesses and individuals protect their passwords and sensitive digital assets to significantly reduce cyber theft. Keeper is SOC 2 Certified and utilizes best-in-class encryption to safeguard its customers. Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues.

Keeping our users secure is core to our values as an organization. We value the input of good-faith hackers and believe that an ongoing relationship with the hacker community helps us ensure their security and privacy, and makes the Internet a more secure place. This includes encouraging responsible security testing and disclosure of security vulnerabilities.


Guidelines:

This Vulnerability Disclosure Policy sets out expectations when working with good-faith hackers, as well as what you can expect from us.

If security testing and reporting is done within the guidelines of this policy, we:

  • Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
  • Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
  • Consider it legal, and will not pursue or support any legal action related to this program against you,
  • Will work with you to understand and resolve the issue quickly, and
  • Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue.

If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us before proceeding.

To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:

  • Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
  • Perform research only within the scope set out below, and respect systems and activities which are out-of-scope,
  • Contact us immediately if you encounter any user data during testing, and
  • Use the identified communication channels to report vulnerability information to us, and
  • Keep information about any vulnerabilities you’ve discovered confidential until we’ve resolved them.

Ratings:

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

This program only awards points for submissions.

Targets

Keeper Security Website (keepersecurity.com | .eu)

website

|

Keeper Password Manager for iOS

ios

|

Keeper Password Manager for Android

android

|

Keeper Desktop Application for Mac and PC

other

|

Keeper Password Manager for Windows Store

other

|

KeeperFill Browser Extension (Chrome, Safari, Firefox, Edge, IE)

other

|

Keeper Backend API (Keeper Commander)

other

|

KeeperChat Website (keeperchat.com | .eu)

website

|

KeeperChat for iOS

ios

|

KeeperChat for Android

android

|

KeeperChat for Windows

other

|

KeeperChat for Mac

other

|

Keeper Password Manager for BlackBerry

other

|

Keeper Password Manager for Windows Mobile

other

|

Any domain/property of Keeper Security not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Access:

You're free to sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

If requested, KeeperChat and Keeper Password Manager source code can be provided to researchers under NDA at the discretion of the company. When requesting access to the source code, please clearly outline what you’re specifically looking to review, as well as providing any credentials or background in regards to what makes you particularly well-suited to perform code review against these assets. Thanks!

Additionally, for paid account levels (e.g. business), researchers are encouraged to reach out to security@keepersecurity.com to request access.

Please keep in mind as you test the targets (particularly the websites) that these are production systems; as such, please abstain from running automated tools against contact forms, etc. Manual testing is highly encouraged and recommended in such places and situations where it looks like the form may submit to a human or team on the other end.

Keeper Password Manager
iOS : Here
Android : Here
Windows : Here
BlackBerry : Here

Web Applications
Web Vault (US) : Here
Web Vault (EU) : Here
Admin Console (US) :Here
Admin Console (EU) :Here
Website (US) : Here
Website (EU) : Here

Desktop Applications
Keeper Desktop Mac : Here
Keeper Desktop Windows : Here
Keeper for Microsoft Store : Here

KeeperFill Browser Extensions
Chrome, Safari, Firefox, Edge, IE11: Here

Keeper Commander
Python API / SDK: Here

KeeperChat Applications
iOS : Here
Android : Here
Windows : Here
Mac : Here
Website : Here


Focus Areas:

  • Authentication bypass
  • Bugs in customer-facing web applications and APIs
  • Bugs in desktop applications or mobile apps
  • Bugs in third-party assets used by Keeper's web applications
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Privilege escalation
  • Information disclosure
  • Remote code execution
  • Timing or enumeration attacks that have a tangible risk to security or privacy

Out-of-Scope

  • Previously submitted bugs
  • Spam or Email Spoofing
  • Bugs that rely on keylogging, compromise of the operating system or privileged access
  • Legacy or unsupported versions of apps

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018