Program Rules

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.

If you believe you found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Any type of denial of service attacks is strictly forbidden, as well as any interference with our servers and infrastructure on the domains matrixreq.com and mtrx.ovh, with the exception of the one server designated as target of this program. Please do not use automated scans - we can do that too

Scope

We created a dedicated virtual machine identical to our production machines.
Server IP: hack1.mtrx.ovh
Service URL: https://hackme.matrixreq.com

We defined some users on that instance, and some projects with data. Finding ways to access the service with these user and login, and/or finding the content of the projects is the ultimate goal and would be rewarded as Critical (see below)
We are not giving away user accounts - we want this exercise to be black box only.

Our entire application goes through a REST API : https://hackme.matrixreq.com/rest/1/
Feel free to try invading our instance through that means as well.

The description of our API is public: https://app.swaggerhub.com/apis/matrixreq/MatrixALM_QMS/2.2

Vulnerabilities reported on other services or applications are not allowed.

Note about active protection: we normally have some active protections in place against hacking:

• A user account is locked after N login attempts with a bad password
• An IP is firewalled after N attempt on ssh connection or some other actions

Please do not report on vulnerabilities consisting of a lack of the above protections.
Also - we know about a potential problem with login.jsp being in an iframe for which we are thinking about the better way to solve - do not report on that.
Please do not investigate other sites in our domain like our main web site https://matrixreq.com - or our demo site https://demo.matrixreq.com - including requesting information, free instances, sending support requests. Doing so would jeopardize our normal support and the service we offer to our customers

Rewards

Our minimum reward is 50 Euros.

The following is merely an indicator of rewards, but does not reflect what the final decision might be.

We value quality reports and proofs of concepts.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of MatrixALM. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.

• The vulnerability must be a qualifying vulnerability (see below)

• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com

• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.

• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).

• You must not leak, manipulate, or destroy any user data.

Reports about vulnerabilities are examined by our security analysts.

Our analysis is always based on worst-case exploitation of the vulnerability, as is the reward we pay.

Reports are reviewed within 5 working days (this is a maximum period - we'll probably respond sooner).

No vulnerability disclosure, including partial is allowed for the moment.

Qualifying Vulnerabilities

• Remote code execution (RCE)
• Local files access and manipulation
• Code injections (HTML, JS, SQL, PHP, ...)
• Cross-Site Scripting (XSS)
• Cross-Site Requests Forgery (CSRF) with real security impact
• Open redirect
• Broken authentication & session management
• Insecure direct object references
• CORS with real security impact

NON-Qualifying Vulnerabilities

• Any hypothetical flaw or best practices without exploitable POC
• Unverified results of automated tools or scanners
• Use of a known-vulnerable library (without evidence of exploitability)
• Any physical attempts against Matrix or OVH offices or data centers
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Presence/absence of SPF/DMARC records
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting users of outdated browsers and platforms
• Self XSS
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
• Mixed content warnings
• Denial of service
• Attacks requiring physical access to the server
• Disclosure of known public files or directories, (e.g. robots.txt, css files, images, ...)
• Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
• Errors thrown by nginx when the request was invalid / fuzzing
• Host injection, except if you can successfully forge a wrong URL or compromise something using it
• Any hack that implies taking control of the users' machines first
• Clickjacking/UI redressing
• Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
• Open ports without real security impact
• Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
• Blind SSRF without direct impact (e.g. DNS pingback)
• Lack of rate-limiting, brute-forcing or captcha issues
• User enumeration (email, alias, GUID, phone number)
• Password requirements policies (length / complexity / reuse)
• Expired certificate, best practices and other related issues for TLS/SSL certificates

Browsers supported

• Chrome 68 +
• Firefox 61 +
• Safari (on mac os)
• Edge 42 +
• No "mobile" browser is accepted

Taxes

You are responsible for paying any taxes associated with rewards. We reserve the right to modify the terms of this program or terminate this program at any time. You must comply with all applicable laws in connection with your participation in this program.