Banner object (1)

Hack and Take the Cash !

722 bounties in database
Cryptobox Bug Bounty logo


100 € 

Cryptobox Bug Bounty

What is Cryptobox?

Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end- to-end encryption. You can securely access your documents from any device, control your data and costs with a scalable architecture and a patented security solution. Cryptobox can be deployed on premises, in the cloud, in a hybrid model depending on customer architecture requirements.


Cryptobox has been qualified by ANSSI for use at restricted level, and certified at CC EAL3+ level. Ercom is convinced that working with skilled security hunters around the globe is a relevant part of the flow remediation process dedicated to maintain a high security level.


The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Cryptobox users’ information. The Cryptobox Security Target (see describes precisely assets protected by Cryptobox. Submissions will be evaluated in regards to the impact of uncovered vulnerabilities to these assets.


What hunters must do

  • All our program rules must be agreed and complied by hunters.
  • Hunters must be the first person to disclose a vulnerability
  • All tests shall be done following the processes set by
  • Ercom provides a test platform for vulnerability assessment at This is the only system that shall be challenged.
  • Each hunter has two account s (one with owner privilege and one with reader privilege) onto the Cryptobox platform. Each hunter must give two email addresses for Cryptobox’s account creation.
  • Hunters must use their own account to test vulnerability of the platform.
  • Once enrolled in the program with, hunters can apply for a user account on , following the sign-up process. They will be able to access the Cryptobox Security Target document and Cryptobox Windows’s application.
  • Instant messaging of the new version (V3.5) is now in the scope of this program .

What hunters must not do

  • Tests not compliant with rules of will not receive any reward , and will be deemed illegal.
  • Hunters must not violate any local, state, national or international law.
  • Denial of Service vulnerabilities will not be rewarded, and no such attacks shall be performed. Also, all brute force attacks online shall be avoided.
  • Testing any other system than , in particular or is illegal.
  • Hunters shall not use more than 1 GB / account.
  • Attack another hunter's account is not allowed.
  • Social engineering attacks are not allowed. In particular, guessing another user’s or administrator’s password is not considered as a vulnerability.
  • All documents provide to the hunters are currently confidential and shall not be disclosed.
  • Hunters shall not publicly disclose the bug until Ercom has confirmed the bug is fixed. Even then they shall not make exploits publicly available unless required by law or with Ercom’s written permission.

The following known points will no longer yield rewards:

  • It is possible for an un-authenticated user to test that an account exists on the server by guessing the email and retrieve account information (name, surname, user_id, certificates).
  • The product does not have protection against actions taken “in number” by users (sharing by email, file upload, creation of spaces, simultaneous requests…).
  • Client applications remain connected without time limit.
  • SPF flag not set for this platform.

Browser supported

  • Chrome v 56 and upper
  • Firefox v 51 and upper

Application supported

  • CryptoBox for Android (available on Play store)
  • Cryptobox for iOS (available in the Apple store)


Ercom will pay rewards at Ercom’s discretion for a serious and reproducible vulnerability. Hunters are responsible for any applicable taxes associated with any reward you receive. Any report that results in a change in our code base will be rewarded, at minimum, by a €100 reward and a Hall of Fame recognition.

How to connect onto Crytpobox?

Please Contact us to this email:

Give us two different email addresses for creation of your two Cryptobox accounts.

To let us check your identity, please give us into the mail your hunter’s pseudo.

After the delivery of your two addresses, we send you an email on each address to give you the possibility to subscribe onto the platform.

Please chose as Trustee the mail address This is the only possibility to reactivate a password if you forgot yours.

After your subscription, we allocate your two accounts into a workspace (workspace name is your hunter pseudo).

Each account has specific right (one Reader and one Owner).

If you want to invite a new member into your workspace please use this email and inform our support team at Support-Bug-

Please note that we may modify the terms of this program or terminate it at any time.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019