We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
If you believe you found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Any type of denial of service attacks is strictly forbidden, as well as any interference with our servers and infrastructure on the domains matrixreq.com and mtrx.ovh, with the exception of the one server designated as target of this program. Please do not use automated scans - we can do that too
We created a dedicated virtual machine identical to our production machines.
Server IP: hack1.mtrx.ovh
Service URL: https://hackme.matrixreq.com
We defined some users on that instance, and some projects with data. Finding
ways to access the service with these user and login, and/or finding the
content of the projects is the ultimate goal and would be rewarded as Critical
We are not giving away user accounts - we want this exercise to be black box only.
Our entire application goes through a REST API :
Feel free to try invading our instance through that means as well.
Vulnerabilities reported on other services or applications are not allowed.
Note about active protection: we normally have some active protections in place against hacking:
Please do not report on vulnerabilities consisting of a lack of the above
Also - we know about a potential problem with login.jsp being in an iframe for which we are thinking about the better way to solve - do not report on that.
Please do not investigate other sites in our domain like our main web site https://matrixreq.com - or our demo site https://demo.matrixreq.com - including requesting information, free instances, sending support requests. Doing so would jeopardize our normal support and the service we offer to our customers
Our minimum reward is 50 Euros.
The following is merely an indicator of rewards, but does not reflect what the final decision might be.
We value quality reports and proofs of concepts.
Qualification | Score CVSS | Bounty
None | N/A | No Bounty
Low | 0.1 - 3.9 | <= 50€
Medium | 4.0 - 6.9 | <= 150€
High | 7.0 - 8.9 | <= 500€
Critical | 9.0 - 10.0 | <= 1500 €
We are happy to thank everyone who submits valid reports which help us improve the security of MatrixALM. However, only those that meet the following eligibility requirements may receive a monetary reward:
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below)
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through bountyfactory.io
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
You must not leak, manipulate, or destroy any user data.
Reports about vulnerabilities are examined by our security analysts.
Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.
Reports are reviewed within 5 working days (this is a maximum period - we'll probably respond sooner).
No vulnerability disclosure, including partial is allowed for the moment.
Remote code execution (RCE)
Local files access and manipulation
Code injections (HTML, JS, SQL, PHP, ...)
Cross-Site Scripting (XSS)
Cross-Site Requests Forgery (CSRF) with real security impact
Broken authentication & session management
Insecure direct object references
CORS with real security impact
You are responsible for paying any taxes associated with rewards. We reserve the right to modify the terms of this program or terminate this program at any time. You must comply with all applicable laws in connection with your participation in this program.
Contact us if you want more information.