Banner object (1)

Hack and Take the Cash !

745 bounties in database
OneSpan Trusted Identity Platform logo


OneSpan Trusted Identity Platform

OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. Trusted Identity Platform, or TID, is OneSpan's cloud-based platform that delivers security technologies to secure digital interactions. In this project, we request researchers to validate the security of the TID Developer Portal and the TID Microservices (Adaptive Authentication services).The scope of this project is limited to the following products:

TID Developer Portal Application entry points: * * Accounts: researchers are allowed to create only one account using their email address. Creating an account will generate a Tenant ID.

TID Microservices (Adaptive Authentication services) Application entry points: *

Please note that all domains of OneSpan/VASCO are out of scope except the ones mentioned in the “in scope” section.

The Risk Analytics Presentation Service application is also explicitly out of scope. The URL of this application is

The IDENTIKEY Authentication Server application is also explicitly out of scope. The URL of this application is

All services running on ports on the above mentioned servers that are not explicitly mentioned in the in-scope section are also explicitly out of scope.

You will not receive a reward and your submission will be rejected if they are out of scope or if they are one of the following:

General * Violations against best practices that only have a theoretical chance of exploitation * Highly speculative reports about theoretical damage. Be concrete. * Denial of Service Attacks * Publicly accessible login panels of OneSpan software * Reports that state that software is out of date/vulnerable without proven exploitable risks * Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue * Physical or social engineering attempts (this includes phishing attacks against employees)

Application * Debug information, stack trace information, excessive information leakage (internal IP addresses, server paths, …) * Open redirects - 99% of open redirect issues have low security impact. For the rare cases for which there is a security impact, like stealing sensitive data (customer records,…) or introducing XSS, we do still want to hear about them. * XSS issues in non-current browsers (older than 3 versions) * Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console) * Content injection issues * User enumeration * Cross-site Request Forgery (CSRF) * Missing autocomplete attributes * Missing cookie flags on non-security sensitive cookies * Missing security headers or unnecessary headers which do not present an immediate security vulnerability * Banner grabbing issues (figuring out what web server we use, etc) * Clickjacking (including clickjacking on sensitive pages) * Injection attempts where the application doesn’t accept the input because of input validation. * Session hijacking by copying the cookie values. * Available HTTP methods that do not pose a security risk (for example if the PUT/DELETE methods seem to be available, but using them doesn’t have an impact because the corresponding server functionality is not available or implemented).

Infrastructure * Recently disclosed 0-day vulnerabilities against commercial products where no patch is available or the patch was released within the last 2 months. We need time to patch our software and release new versions just like everyone else. * Open ports without an accompanying proof-of-concept demonstrating vulnerability * Weak SSL/TLS configurations and SSL/TLS scan reports (for example output from sites such as SSL Labs or issues related to the fact that the applications are configured with self-signed certificates). * Reports on misconfigured DNS settings or missing DNS domain records (such as missing DMARC or SPF records). * Reports on the configuration of services that are not related to the tested application (for example reports about the email security of the tested domains and reports about the DNS servers hosting the DNS records of the tested domains). * Reports on the configuration of the underlying operation system.

It will be the responsibility of Intigriti to pay ethical hackers in a timely and legal way. Payouts will only take place after agreement with OneSpan on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Duplicates policy: When two identical issues are reported, with different endpoints being the only difference between submissions, only the first submission will have the criticality below assigned.

If similar reports by the same user are reported within 14 days after accepting the previous (only differentiating in endpoint), the reports will be accepted but in a lower criticality, hence affecting the bounty.

OneSpan provides following monetary rewards. In addition, researchers will be listed in OneSpan’s Hall of Fame, if they agree so.

Exceptional: € 2.000 - examples: * Remote Code Execution

Critical: € 1.000 - examples: * Access to all user / domain details * Privilege escalation: Ability to read/modify data without having the privilege to do so, for example being able to create a user without having the required admin privilege. * SQL/XML/JSON Injection that can be used to manipulate the behavior of the query or request. * Impersonation of other user without copying the session cookie value

High: € 750 - examples: * Stored XSS

Medium: € 500 – examples: * Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. * Reflected Cross-Site scripting * SQL/XML/JSON Injection that only generates an application error or break the query.

Low – examples: * Vulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger. * Scripting and automation * Publicly accessible login panels of third party software (for example the login panel of the application server or of the database server). Login panels of OneSpan products are out-of-scope.

  • (Creating a test account will generate a Tenant ID)

Guidelines * Provide detailed but to-the point reproduction steps * Include a clear attack scenario, a step by step guide in the PoC is highly appreciated * Remember: quality over quantity! * Provide details on the timestamp when you conducted the test and about the username that you used to conduct the test.

Response timeframe * We will respond to reports within 5 days.

Application availability * The applications should be available all the time.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019