Founded in 2010, strategic partner to Dassault Systèmes and CMSP Advanced certified by Cisco Systems, Outscale provides enterprise-class Cloud Computing services (IaaS) that meet regulatory and local requirements internally. Outscale offers solutions to clients that are seeking to boost Business Agility and rapidly deploy value-enhancing business models. Investing 15% of revenues in R&D, from the very beginning, Outscale is commited to offer services that combine excellence and thoroughness, which have won over more than 800 corporate clients in France, USA, and China, as well as several hundred users working for the well-known multinationals via Dassault Systèmes. Outscale has received ISO security certification 27001-2013 for all its French locations.
Outscale develops its own Cloud orchestrator,TINA OS, with strong security requirements and provide many additional product around this infrastructure.
The target is the cloud customer interface cockpit of the eu-west-2 region reachable at https://cockpit-eu-west-2.outscale.com
Cockpit is the cloud webinterface developed to help Outscale customer to use the IaaS service.
The scope of this bounty is focused on the cockpit service of the eu-west-2 region. The service is available at https://cockpit-eu-west-2.outscale.com. Other subdomains on outscale.com are not concerned by this bounty. You can find documentations here:
The point of focus on the vulnerability must be on confidentiality, integrity, and traceability. The availability of the scope is not covered by this bounty (no denial of services is allowed). Only exploitable vulnerability are covered. A proof of concept must be provided regarding the vulnerability in the report.
Customers with cloud resources are not concerned by this bounty. Snapshots and images provided by Outscale are not concerned, either.
Keep in mind this is a production environment,no data alteration are allowed inside Outscale infrastructure or on Outscale customer Cloud infrastructure, and, therefore,you mustn’t affect the availability of the platform.
Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Rating | CVSS score | Bounty
None | 0.0 | No bounty
Low | 0.1 - 3.9 | Goodies
Medium | 4.0 - 6.9 | 80 €
High | 7.0 - 8.9 | 300 €
Critical | 9.0 - 10.0 | 800 €
Outscale will determine, in its discretion, whether a reward should be granted and the amount of the reward. In particular, we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a contest or competition.
Goodies are resources on our IaaS (reduction on the invoice), which will help you to find higher vulnerabilities.
The registration process is outside of the scope of the bounty. If you want your account to be successfully created, you must provide correct information. The system will deny the registration if it detect abnormal information.
In case of problem, you can send a mail to firstname.lastname@example.org.