OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. Trusted Identity Platform, or TID, is OneSpan's cloud-based platform that delivers security technologies to secure digital interactions. In this project, we request researchers to validate the security of the TID Developer Portal and the TID Microservices (Adaptive Authentication services).The scope of this project is limited to the following products:
TID Developer Portal
Application entry points:
TID Microservices (Adaptive Authentication services)
Application entry points:
Please note that all domains of OneSpan/VASCO are out of scope except the ones mentioned in the “in scope” section.
The Risk Analytics Presentation Service application is also explicitly out of scope. The URL of this application is https://sdb.tid.onespan.cloud/irm/.
The IDENTIKEY Authentication Server application is also explicitly out of scope. The URL of this application is https://sdb.tid.onespan.cloud/ias/.
All services running on ports on the above mentioned servers that are not explicitly mentioned in the in-scope section are also explicitly out of scope.
You will not receive a reward and your submission will be rejected if they are out of scope or if they are one of the following:
General * Violations against best practices that only have a theoretical chance of exploitation * Highly speculative reports about theoretical damage. Be concrete. * Denial of Service Attacks * Publicly accessible login panels of OneSpan software * Reports that state that software is out of date/vulnerable without proven exploitable risks * Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue * Physical or social engineering attempts (this includes phishing attacks against employees)
Infrastructure * Recently disclosed 0-day vulnerabilities against commercial products where no patch is available or the patch was released within the last 2 months. We need time to patch our software and release new versions just like everyone else. * Open ports without an accompanying proof-of-concept demonstrating vulnerability * Weak SSL/TLS configurations and SSL/TLS scan reports (for example output from sites such as SSL Labs or issues related to the fact that the applications are configured with self-signed certificates). * Reports on misconfigured DNS settings or missing DNS domain records (such as missing DMARC or SPF records). * Reports on the configuration of services that are not related to the tested application (for example reports about the email security of the tested domains and reports about the DNS servers hosting the DNS records of the tested domains). * Reports on the configuration of the underlying operation system.
It will be the responsibility of Intigriti to pay ethical hackers in a timely and legal way. Payouts will only take place after agreement with OneSpan on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.
Duplicates policy: When two identical issues are reported, with different endpoints being the only difference between submissions, only the first submission will have the criticality below assigned.
If similar reports by the same user are reported within 14 days after accepting the previous (only differentiating in endpoint), the reports will be accepted but in a lower criticality, hence affecting the bounty.
OneSpan provides following monetary rewards. In addition, researchers will be listed in OneSpan’s Hall of Fame, if they agree so.
Exceptional: € 2.000 - examples: * Remote Code Execution
Critical: € 1.000 - examples: * Access to all user / domain details * Privilege escalation: Ability to read/modify data without having the privilege to do so, for example being able to create a user without having the required admin privilege. * SQL/XML/JSON Injection that can be used to manipulate the behavior of the query or request. * Impersonation of other user without copying the session cookie value
High: € 750 - examples: * Stored XSS
Medium: € 500 – examples: * Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. * Reflected Cross-Site scripting * SQL/XML/JSON Injection that only generates an application error or break the query.
Low – examples: * Vulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger. * Scripting and automation * Publicly accessible login panels of third party software (for example the login panel of the application server or of the database server). Login panels of OneSpan products are out-of-scope.
Guidelines * Provide detailed but to-the point reproduction steps * Include a clear attack scenario, a step by step guide in the PoC is highly appreciated * Remember: quality over quantity! * Provide details on the timestamp when you conducted the test and about the username that you used to conduct the test.
Application availability * The applications should be available all the time.