Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
17/05/2019
Cloudinary logo
Thanks
Gift
Hall of Fame
Reward

Reward

In Scope

Scope Type Scope Name
web_application https://cloudinary.com/console
web_application https://api.cloudinary.com
web_application https://res.cloudinary.com
web_application widget.cloudinary.com

Out of Scope

Scope Type Scope Name
web_application https://support.cloudinary.com
web_application wiki.cloudinary.com

Cloudinary

Cloudinary is a SaaS/API provider that streamlines a website's entire image management pipeline. Cloudinary strives to be the standard for online images acquisition, manipulation and delivery.

Using Cloudinary you can easily move all your website’s images and other assets to the cloud. Automatically perform smart image resizing, cropping, merging, overlay, watermark, apply effects, rotations and perform format conversions. All this without installing any complex software. Integrate Facebook, Twitter, Google+ and Gravatar profile image extraction in a snap, fetch images from any online resource in any dimension and style to match your website’s graphics requirements, and much more. Simply put, if you have images in your web or mobile app, let Cloudinary manage them for you.

Cloudinary offers comprehensive APIs and administration capabilities and is easy to integrate with any web application. To simplify integration further we also have client libraries for Ruby on Rails, Python/Django, PHP, .NET, Node.js and more. In addition, alternative integration methods allow non- developers, bloggers and website administrators to enjoy Cloudinary with nearly zero code changes.


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We are particularly interested and will consider extraordinary submissions around:

  • Major exposures around customer data leak
  • Issues that result in full compromise of a system (RCE, etc.)
  • Business logic bypasses resulting in significant impact
  • Major operational failure

Reward Range

Last updated 8 Aug 2019 17:18:39 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,500 - $3,000
p2 Severe | $500 - $1,500
p3 Moderate | $150 - $500

P4 are only eligible to receive kudos points. P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
<https://cloudinary.com/console> | Website
<https://api.cloudinary.com> | API
<https://res.cloudinary.com> | API
widget.cloudinary.com | Website

Out of scope

Target name | Type
---|---
<https://support.cloudinary.com> | Website
wiki.cloudinary.com | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Cloudinary not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Documentation:

Please check out our full documentation for feature explanation, what's possible, and our API docs here: https://cloudinary.com/documentation


Access

You must use your @bugcrowdninja email address to set up your Cloudinary account. The main reason for doing so is that in case of need, our team will know you’re from Bugcrowd and have no malicious intentions.
For more info regarding @bugcrowdninja email addresses, see here.

Focus Areas

  • cloudinary.com/console
  • api.cloudinary.com (admin and upload apis)
  • res.cloudinary.com (delivery CDN)
  • widget.cloudinary.com (upload widget UI)

Out-of-Scope

  • Do not test UI widgets posting feedback (“Tell us what you think” form) to https://cloudinary.com/console/api/v1/user/send_feedback
  • support.cloudinary.com
  • wiki.cloudinary.com
  • Cloudinary has built-in functionality to fetch remote URLs to read remote files into the system, via fetch URL (http://res.cloudinary.com/demo/image/fetch/), via the upload API's URL parameter (https://cloudinary.com/documentation/image_upload_api_reference#upload) and in other places in the API. This functionality as it's meant to be used will not be considered an SSRF vulnerability when allowing access to external servers, even though it might be used to anonymously scan other web servers for vulnerabilities or open ports other than common web ports. We will accept disclosures that show how this functionality is used to access internal networks or external services having significant security or DOS impact.
  • Support tickets (due to the load on our support teams, please DO NOT perform any testing on, or create any, support tickets)
  • Social engineering / phishing

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices