By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
• Reports must be submitted in English. Please provide a detailed attack scenario, including clear and reproducible steps.
• Avoid causing any damage or disruptions to our systems. Refrain from altering, changing, or deleting data. Do not introduce backdoors. Even if intended to demonstrate the vulnerability, backdoors can pose significant risks to our systems' security. Limit your investigation to the scope necessary to identify and report the vulnerability.
• Protect data confidentiality. Avoid inadvertently causing data breaches by sharing screenshots or recordings on third-party cloud platforms.

Welcome!

Flexmail's commitment to the security and reliability of our online services is a top priority. Despite the effort we put into the security of our systems, vulnerabilities can still be present.

We believe that collaboration with the security community is essential to maintaining a robust security posture. If you have discovered a vulnerability in our systems, we encourage you to report it to us. Your insights will help us identify and address potential weaknesses, ultimately enhancing the security and reliability of our services.

To encourage reporting vulnerabilities, we would urge you to send any vulnerability you detect to us. A researcher who provides a high quality report which will be important for the continuity and reliability of our product can be invited to the private program. A bounty is possible after the invitation.

Thank you for your contribution to our security efforts.

Application

• Flexmail users can use HTML (including JS) to set up their forms. Therefore, stored XSS in your own forms on cdn.flexmail.eu without specific proven impact other than phishing is out of scope. Altering someone else's form in any way is still in scope.
• API key disclosure without proven business impact
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Vulnerabilities detected by Flexmail / team.blue employees or former employees of Flexmail are welcomed but excluded from any rewards.

This program follows Intigriti's contextual CVSS standard

Where can we get credentials for the app?

You can self-register via the website but please don’t forget to use your @intigriti.me address. Suspicious accounts with another email domain will be deleted by our abuse team.
Additional accounts can be created on flexmail.be with + aliases in the registration email address.
E.g. <intigriti_username>+secondaccount@intigriti.me

Where can we get credentials for the API?

API tokens can be generated in the customer application UI: Settings > API > Personal access tokens

Where can we get credentials for the other apps?

We currently don’t offer any credentials to test user roles in those applications.

I have another question?

Feel free to reach out to vdp@flexmail.eu with your @intigriti.me address.