Banner object (1)

Hack and Take the Cash !

791 bounties in database
  Back Link to program      
12/12/2018
Outscale logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 € 

In Scope

Scope Type Scope Name
undefined Any resource created or accessed with the Outscale Cloud
web_application https://cockpit-eu-west-2.outscale.com/
web_application https://fcu.eu-west-2.outscale.com
web_application https://lbu.eu-west-2.outscale.com
web_application https://osu.eu-west-2.outscale.com
web_application https://eim.eu-west-2.outscale.com
web_application https://icu.eu-west-2.outscale.com
web_application https://directlink.eu-west-2.outscale.com

Out of Scope

Scope Type Scope Name
undefined Other subdomains on outscale.com (wiki.outscale.net, fr.outscale.com, en.outscale.com... )
undefined Social engineering of Outscale employees and contractors
undefined Attack against Outscale offices (malware, backdoor, DoS, etc.)
undefined Denial of service attacks
undefined Vulnerabilities on products or services other than Cockpit or APIs
undefined Issues in our DNS and NTP
undefined Same behavior as Amazon Web Services
undefined E-mail server configuration (DKIM/SPF/DMARC)
web_application Issues not leading to confidentiality, traceability or integrity problems. You can report it to support@outscale.com.

Outscale

TL;DR

Outscale, an IaaS Cloud provider, is looking for any security-oriented feedback. We used to limit this Bug Bounty program to our Client Administration Website (Cockpit) and part of our APIs, but now we are exposing (most of) our client accessible endpoints for your greatest pleasure (yes, including our Cloud resources)!

Want to know the target? It's simple! We want you to find any ways of accessing other people’s resources, or anything impacting their customer experience or the infrastructure itself!

Is that it? Are you enthralled? Are you ready to make your pentesting tools armada let out an enthusiastic roar?

Then read the rest of this page to avoid losing precious time and points by reporting Out of Scope vulnerabilities, and get to know us a bit more at the same time.

Hunter skills that will lead you to success:

  • Web, but you’d better be good as that's the most common.
    • Be prepared to attack APIs.
  • SecOps, as you'll need an understanding of how the Cloud works.
  • Network Security, as the golden nugget might very well be hidden inside our network.

Introduction

Founded in 2010, strategic partner of Dassault Systèmes and CMSP Advanced certified by Cisco Systems, Outscale provides enterprise-class Cloud Computing services (IaaS) that meet regulatory and local requirements internally. Outscale offers solutions to clients seeking to boost their Business Agility and rapidly deploy value-enhancing business models. Investing 15% of its revenues in R&D from the very beginning, Outscale is committed to offer services that combine excellence and reliability, which have won over more than 800 corporate clients in France, the USA, and China, as well as several hundred users working for well-known multinationals via Dassault Systèmes. Outscale has received ISO security certification 27001-2013 for all its French locations.

Outscale develops its own Cloud orchestrator, TINA OS, with strong security requirements and which provides many additional products around this infrastructure.

Outscale Services Overview

As Outscale is compatible with AWS EC2, our infrastructure has a similar architecture.

We have public websites (https://outscale.com/) which are not in the scope , and which are not part of our products.

We have several APIs aiming to manage specific resources in the Cloud:

  • You can find the extensive list here: https://wiki.outscale.net/display/DOCU/Regions%2C+Endpoints+and+Availability+Zones+Reference
  • Each endpoint in the eu-west-2 region is in the scope of this bug bounty program.

We also have a web interface, Cockpit, built on top of our APIs, allowing our clients to interactively manage their resources in our Cloud:

  • This IS in the scope of this bug bounty program.

Our documentation can be found at the following locations:

  • https://wiki.outscale.net/
    • Here, you will find all kinds of information on how to use our Cloud.
  • http://docs.outscale.com/api_fcu/index.html
    • This is the API documentation. This is mostly useful when hunting for bugs in the API.

( Those ARE NOT in the scope. )

The points of focus for vulnerability must be on:

  • Confidentiality
  • Integrity
  • Traceability

The availability of the scope is not covered by this bounty program (denial of services is not allowed). Only exploitable vulnerabilities are covered.
A proof of concept must be provided in the report regarding vulnerabilities.
Customers with Cloud resources are not concerned by this bounty. Snapshots and images provided by Outscale are not concerned either.

Keep in mind that this is a production environment: no data alteration is allowed inside Outscale infrastructure or on Outscale customers Cloud infrastructure. You must not affect the availability of the platform.

If you have any doubts on whether you can test something or not, or if you want to make sure you are allowed to do something specific, you can send us an e-mail at bugbounty@outscale.com.

Rewards and Process

Outscale will determine, at its discretion, whether a reward should be granted, and the amount of this reward. We may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a competition.

Our Security team will review each committed finding and contact you as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial reply. We ask you to make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services during your research.

In case of problem, you can send an e-mail to bugbounty@outscale.com.
We are able to help you with the cloud itself ( if you need help understanding behaviors ), and are willing to help you move forward when you feel like you found something but fail to exploit it.

FireBounty © 2015-2019

Legal notices