This project has been sponsored by the European Commission as part of the EU- Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.
This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.
Note: This program has now been extended for a further two months until 6th of July 2019
While researching, we'd like to ask you to refrain from:
The main goal is to find important security issues, that cannot be found with other approaches like static analysis, dynamic analysis or fuzzing.
MidPoint is an identity management and governance system. It is a comprehensive system that synchronizes several identity repositories and databases, manages them, makes them available in a unified form, manage roles, authorizations, entitlements and implements almost every aspect of identity management and governance. It belongs to the "management" part of Identity and Access Management (IAM) field.
The most important features of midPoint are:
More information: https://wiki.evolveum.com/display/midPoint/Introduction __
There are several options to set up a testing environment for the research. However, there are two recommended methods: build from source code and use of docker images.
First approach is the classic method of building midPoint from the source code, deploying and configuring it. Fresh bild from midPoint master branch should be used for this kind of testing. In this case proper system configuration is the sole responsibility of the researcher (please note that the default system configuration is not designed to be completely secure).
MidPoint source code: https://github.com/Evolveum/midpoint __
Second approach is taking advantage of pre-built midPoint docker containers. MidPoint docker images are built as part of midPoint automated CI process. Those images are available for testing. There is a “clean” image that contains only default midPoint configuration. There is also a planned release of an image with pre-configured scenarios.
Even for docker-based installation, it is a responsibility of the researcher to make sure that midPoint configuration is appropriate for the specific use case that the researcher is exploring. Configuration of MidPoint docker container is not meant to be complete and production-ready configuration, it is meant for demonstration purposes and as a basis to create specific deployment configurations. The researches are expected to make sure that midPoint configuration is appropriate for their test cases.
Details about midPoint docker containers:
https://wiki.evolveum.com/display/midPoint/Simple+demo __(Contains demo data)
For all testing cases it is strongly recommended for the researcher to get familiar with midPoint concepts, mechanisms and configuration. In-depth study of midPoint book and documentation is an essential part of preparation for the testing.
MidPoint book: https://evolveum.com/midpoint/midpoint-guide-about-practical-
MidPoint documentation: https://wiki.evolveum.com/display/midPoint/Documentation __
The PoC must work on the master branch of midpoint.git (HEAD), or the latest distribution build (4.0). Stable versions or older nightly builds are explicitly out of scope. Vulnerabilities that have patches available publicly are not taken in account.
The PoC must work on the latest version of Windows, macOS, Linux, and the security features of the platform (ASLR, etc.) must not be disabled.
PoC that works only with ASLR disabled will be denoted in severity, but might be accepted.
Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.
A bonus structure is in place from the 14th of June to 6th July 2019
There is a 20% bonus for including a fix in the report, when accepted by the maintainers.
Note : The 20% bonus is calculated off the new bonus structure.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep MidPoint and our users safe!
If you have any questions or concerns on this Challenge, please contact tpm- firstname.lastname@example.org.