What is Cryptobox?
Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption.
You can securely access your documents from any device, control your data and costs with a scalable architecture and a patented security solution. Cryptobox can be deployed on premises, in the cloud or in a hybrid model depending on customer architecture requirements.
Share, collaborate and exchange end-to-end encrypted documents with colleagues or external partners!
- Safely exchange data and documents through end-to-end encryption
- As a workspace owner, maintain control by defining the roles of each member
- Ensure that each user can access only what they are entitled to see
- Accessible across multiple devices and browsers
Adds-on Options available:
- Deposit box
Each user can create and share a unique, secure ‘deposit box' link, allowing anyone who doesn't necessarily have an account to upload documents directly into Cryptobox with just 1 click.
Website
Security
Cryptobox has been qualified by ANSSI for use at the "restricted" level, and certified at the Common Criteria EAL3+ level.
Ercom is convinced that working with skilled security hunters around the globe is a relevant part of the flow remediation process dedicated to maintain a high security level.
New releases
[Version 4.35]
iOS
- When the application is launched, the workspace list is systematically displayed as the home page.
[Version 4.34]
- File history
- For each file, users have the option to view and export its activities. The feature also allows retrieving any version of the file and viewing the downloads associated with each version. You can find out more about this new feature from this leaflet
- Workspace restoration reserved for owners -
From now on, only the owners of a workspace have the ability to restore a previous state of the workspace from the history.
[Version 4.33]
Web / Desktop
- Deposit box -
The user can generate a link to allow someone (without an account) to upload files to Cryptobox. Only the creator of the deposit box can access the files and choose to download them or integrate them into one of their workspaces.
[Version 4.32]
- Global:
- Export file activities -
File activities can be exported via the new "Export activities" menu. Activities will only be tracked for files added or modified after the upgrade to version 4.32.
- Replacing the content of an existing file -
It is now possible to modify a document by directly uploading a new version of it via the "Import new version" menu. Whatever the name of the file uploaded, the name of the existing file in the space is preserved, only its content is modified.
[Version 4.31]
- Global :
- Internal links: ability to share with workspace members a link to the current version of a given file or directory
- Display of a dedicated page during maintenance operations
- Android :
- Deleted workspaces section has been added on Android devices
Rules
What hunters must do
- All our program rules must be agreed and complied by hunters.
- All tests shall be done following the processes set by YesWeHack.
- Ercom provides a dedicated test platform for vulnerability assessment at https://bounty.cryptobox.com. This is the only platform that shall be challenged.
- Each hunter will get access to 2 accounts, so that hunters can try attacking one of their account from the other.
What hunters must not do
- Tests not compliant with rules of YesWeHack will not receive any reward, and will be deemed illegal.
- Hunters must not violate any local, state, national or international law.
- Hunters must not attack other another accounts than one of theirs.
- Hunters must not use social engineering attacks.
- Hunters shall not use more than 1 GB per account.
- All documents provided to the hunters are currently confidential and shall not be disclosed.
- Hunters shall not publicly disclose the bug until Ercom has confirmed the bug is fixed. Even then they shall not make exploits publicly available unless required by law or with Ercom’s written permission.
Supported browsers
- Current versions of Firefox, Chrome and Edge.
Supported apps
Note
Cryptobox is a product that can be deployed either on premise or in the cloud, with one platform being deployed for a given company. It is expected that users of a given Cryptobox platform have access to each other information. This includes the email address, first name, last name and public certificates. In the context of this bug bounty, we deployed one dedicated platform https://bounty.cryptobox.com for all hunters. As a consequence, please be aware that your account information (first name, last name, email) will be visible by all other hunters.
Rewards
Ercom will pay rewards at Ercom’s discretion for a serious and reproducible vulnerability. Submissions will be evaluated in regard to the impact of uncovered vulnerabilities to these assets. Hunters are responsible for any applicable taxes associated with any reward you receive. Any report that results in a change in our code base will be rewarded, at minimum, by a €100 reward. Only the first hunter who find a given vulnerability is eligible to get a reward.
Please note that we may modify the terms of this program or terminate it at any time.
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:
- Exposed credentials in/from an out-of-scope asset/source
- Sensitive information exposed in/from an out-of-scope asset/source
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
This excludes, but is not limited to:
- Stolen credentials gathered from unidentified sources
- Exposed credentials that are not applicable on the program’s scope
- Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
- Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
- Exposed PII on an out-of-scope asset
To summarize our policy, you may refer to this table :
|
Source of leak is in-scope |
Source of leak belongs to MyCompany but is out-of-scope |
Source of leak does not belong to MyCompany and is out-of-scope |
Impact is in-scope (e.g. valid credentials on an in-scope asset) |
Eligible |
Eligible |
Not Eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) |
Eligible |
Not Eligible |
Not Eligible |
Important precautions and limitations
As a complement to the Program’s rules and testing policy :
- DO NOT alter compromised accounts by creating, deleting or modifying any data
- DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
- DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
- In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
- In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.