Aiven Bug Bounty Program Policy

Aiven look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Please read through the entire policy and take special care regarding the following:

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.

• Out of scope: Support chat functionality provided by Intercom on our web site is out of scope for any kind of testing. Please do not contact us using the support chat. This includes all functionality on help.aiven.io

Special note about log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228)

==Any submissions for "log4j" DNS interaction on help.aiven.io will be closed as SPAM. This domain is hosted via Intercom and is out of scope for any kind of testing. Continued testing against help.aiven.io (Intercom) may result in you getting banned from the program.==

About Aiven

Aiven is a next-generation managed cloud database platform as a service. Its focus is in ease of adoption, high fault resilience, customer's peace of mind and advanced features at competitive price points. See https://aiven.io/ for more information.

Services and Products in Scope

Please sign up for a free trial account and launch any service from the below list. We are most interested in vulnerabilities in the services and our APIs.

List of Aiven services eligible for bounty and available for testing:

• Aiven for Apache Cassandra

• Aiven for Apache Flink (beta)

• Aiven for Clickhouse (beta)

• Aiven for Grafana

• Aiven for InfluxDB

• Aiven for Apache Kafka

• Aiven for Apache Kafka Connect

• Aiven for Apache Kafka Mirrormaker

• Aiven for M3

• Aiven for M3 Aggregator

• Aiven for MySQL

• Aiven for OpenSearch

• Aiven for PostgreSQL

• Aiven for Redis

Out-of-Scope Assets

• Only services you create by yourself - for example, PostgreSQL, Kafka and Grafana - are in-scope. Other services in aivencloud.com domain not created by you are explicitly out of scope, as those are our customers' services.

• Support chat functionality provided by Intercom on our web site is out of scope.

• The contact us form (https://aiven.io/contact) and embedded versions of this contact us form on other pages are out of scope. You can identify and ignore them based on the src of the iframe (https://go.aiven.io/l/890043/2022-02-15/7dc33?referrer=contact or similar).

Program Rules

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.

• Only interact with accounts and services you own or with explicit permission of the account holder. Specifically, take note of rules on aivencloud.com domain.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Out of scope: Support chat functionality provided by Intercom on our web site is out of scope for any kind of testing. Please do not contact us using the support chat.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• If you suspect you are disrupting our service with reasonable activity (for example, sending in gigabits/s of traffic is not allowed; sending in reasonable rate of API requests is ok), please stop, and open a report describing what you did and how you observed the disruption.

Report guidelines

• We are interested in real-world vulnerabilities that have material security impact. Theoretical vulnerabilities without a proof of concept are not eligible for reward. The proof of concept has to be specific to (and work on) the Aiven domain or resource your report is about.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, there will be unnecessary delays in processing the issue. Report quality is taken into account when making decisions about reward and disclosure.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Do not submit any attachments unless requested by our team. Screenshots are accepted, but videos, binaries and so on are not okay.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Reports of software versions with known vulnerabilities (e.g. CVE) found on our domains must have a working proof of concept, or they will be marked spam. Vulnerabilities that are not exploitable as deployed on an in-scope domain or service are out of scope.

• Do not submit scanner output. In general, automated tools and scanners won't provide you much help, because we run them ourselves already. If your report consists only of pasted scanner output, we will mark it spam.

Test Plan

Aiven offers 30 day free trial on sign-up with reasonable amount of credits.

• Use only your @wearehackerone.com email address for registering testing accounts. Do not use any other email addresses such as @gmail.com for security testing.

• If you need multiple accounts, you may do so by using username+foobar@wearehackerone.com syntax.

• To request additional credits please reach out to HackerOne Support clearly stating the need.

Please do note, that if you assign other payment method such as your personal credit card to your account, you're liable for all cost of resources and services consumed. The premium plans might incur significant cost for you. Contact us (through Hackerone support) before researching anything where the charges would exceed trial credits.

Resources:

• How to deploy an open source database in 10 minutes

• Devops tooling

• API documentation

• aiven-client: easiest way to use our API

• Service documentation and help

Response Targets

Aiven will make a best effort to meet the following SLAs for hackers participating in our program.

| Type of Response | SLA in business days |

| --- | --- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Bounty | 14 days |

| Time to Resolution | 30 days |

We’ll keep you informed about our progress throughout the process.

Disclosure Policy

Our disclosure policy is open but responsible. Thank you for joining us in supporting ethical disclosure.

• Mutual disclosure policy: you can request disclosure for any closed report in the program. Our security team will contact you and agree if the contents of the report can be made public. We are committed to protect safety of our customers as well as the anonymity of the reporter and methods and tools used.

• Responsible disclosure: we only disclose vulnerabilities that are original, meaningful for the security community and safe to disclose, taking our customers and other users of the open source software components into account. We will redact any confidential, personal or not appropriate information from the report before making it public.

• Please do not discuss any vulnerabilities (even resolved ones) publicly or privately in any details with any party outside of the program without express consent from the Aiven security team.

• Follow HackerOne's disclosure guidelines.

Legal Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

In Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. In general we require a demonstrated security vulnerability - a simple usability issues (for example, entering specific, valid data causes server to respond with 500 Internal Server Error, but no other impact is demonstrated) can be reported, but may not result in a bounty even if we end up fixing the issue.

| Vulnerability | Severity Range |

| --- | --- |

| Remote Code Execution | Critical |

| SQL Injection | High-Critical |

| XXE | High-Critical |

| XSS | Medium-High |

| Server-Side Request Forgery SSRF | Low-Critical |

| Directory Traversal - Local File Inclusion | Medium-High |

| Authentication/Authorization Bypass (Broken Access Control) | Medium-High |

| Privilege Escalation | Medium-High |

| Insecure Direct Object Reference IDOR | Medium-Critical |

| Misconfiguration | Low-High |

| Web Cache Deception | Low-Medium |

| CORS Misconfiguration | Low-Medium |

| CRLF Injection | Low-High |

| Cross Site Request Forgery CSRF | Medium |

| Information Disclosure | Medium (requires POC) |

| Request smuggling | Low-Medium |

| Mixed Content | Low |

Out of Scope Vulnerabilities

| Vulnerability | Description |

| --- | --- |

| Customer assets | APIs, services that you have set up by yourself in aivencloud.com domain are in scope, but other customers'; services in aivencloud.com are explicitly out of scope. |

| Support chat | Any vulnerability that is related to support chat function at our web page |

| Denial of Service | Any activity that could lead to the disruption of our service (DoS). |

| Public Zero-day | Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis. |

| Rate-limiting | Rate limiting or bruteforce issues on non-authentication endpoints. |

| Brute force | Bruteforcing long, generated tokens over the network. User Enumeration. Password complexity. |

| Clickjacking | Clickjacking on pages with no sensitive actions, or clickjacking that would be prevented if a Content-Security-Policy-Report-Only header on a page were changed to Content-Security-Policy. |

| Security Best Practices | Missing security headers, cookie flags, etc. |

| Email security best practices | Invalid, incomplete or missing email SPF/DKIM/DMARC records. |

| SSL/TLS Best Practices | Missing best practices in SSL/TLS configuration. |

| Information disclosure | Software version disclosure, Banner identification, Descriptive error messages or headers, Stack traces, application or server errors. Errors containing confidential or secret information that can be used to escalate access are in-scope. |

| CSRF | Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions or minimal impact. |

| Content Spoofing | Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS |

| MITM | Attacks requiring man-in-the-middle or physical access to a user's device. |

| Unlikely user interaction | Issues that require unlikely user interaction. For example, requiring user to manually enter crafted content. |

| Outdated browsers | Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version). |

| Open redirect | Open redirect - unless an additional security impact can be demonstrated |

| Header Injection | Host header Injection with no impact |

| Social engineering | Social engineering (e.g. phishing, vishing, smishing, tabnabbing) is prohibited. |

| Physical attacks | |

We have seen multiple different reports on rate-limiting. Do note with default settings, Burp Suite is quite conservative on its request rates, and we start soft-delaying requests before rejecting requests due to rate-limiting. A single-threaded process may only hit soft-delay limits, causing the illusion of no rate-limiting, as each request gets a response, albeit slowly. Please make sure the issue wasn't on your end - for example, your device running out of resources or your network connection being saturated - in order to avoid false positives. We won't accept reports circumventing rate-limiting using a pool of IP addresses, even when it allows making more requests than using a single IP address would.

Thank you for helping keep Aiven Ltd and our users safe!