Description

BloomUp grew as a response to COVID-19 as a platform that connects people in need of mental support with a mental health professional. By answering a few short questions, we match 3 of our professionals with the client and let them pick one. They can either set up a call immediately after if the professional is available or plan in a consult. The first 30 mins are free as an intake consult. When the client and professional have a click, they can schedule a follow-up and paying consult.

Bounties

Responsible disclosure

Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

Our promise to you

  • ❤️ You will help respond to the COVID-19 crisis in a meaningful way.
  • We will respond to report in ultimately 3 days, probably within a day!
  • Exceptional and critical issues will get honourable 🎖 mentions on our security page (constructed in Q1-Q2 2021)
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below

Your promise to us

  • Always use your intigriti.me address for registering!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)
  • We would appreciate your take on how to remediate the bug or security issue you have found.
Domains

analytics.bloomup.org

No Bounty
URL

Priority: 4️⃣ - Language: 🇬🇧


Our self-hosted analytics server that gathers analytics about the app usage. For this we use an instance of Matomo.
Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at existing Matomo bugs: https://github.com/matomo-org/matomo/issues

chat.bloomup.org

No Bounty
URL

Priority: 3️⃣ - Language: 🇬🇧


Our internal self-hosted chat and community. This is used for employee conversations and also as a communication tool towards and between our professionals. MatterMost is used. Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at exisiting MatterMost bugs: https://mattermost.atlassian.net/browse/TMFJ-11?jql=

meet.bloomup.org

No Bounty
URL

Priority: 2️⃣ - Language: 🇬🇧


This server runs our Jitsi instance we use so clients can go into an online video consultation with our professionals.
The best way to test is by using demo.bloomup.org, register as user and professional and set up a consult with yourself.
Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at an existing Jitsi bug: https://desktop.jitsi.org/Development/BugsAndIssues.html

staging.bloomup.org

No Bounty
URL

Priority: 1️⃣ - Language: 🇳🇱


Staging version of our main app.
This app has 2 sides: the client and that of the mental health professionals.

A client can go through an onboarding flow which will ask the a few questions that helps us identify the best professional for them.
At the end of the questions they will get a proposal of 3 mental health professionals. They can either choose to book a consult in the next 7 days or (if the psy is online), immediately go into a consult. At the end of this flow, an account is created that they can use later on to track follow-up consults.

The professional uses this app to plan and follow-up their consults with BloomUp clients.

The app is available in Dutch only and only for Belgian professionals.
This is the most important part to test.
The back end server and API lives on https://staging-api.bloomup.org (which is also in scope)

Please don’t forget to use your @intigriti.me address.

In scope

Important note
Please make sure you are not creating "professional" accounts on our production environment (app.bloomup.org), as our clients might end up being matched to these bogus profiles. This will deminish the service we provide to our customers and will impact our business, as showing the weird stuff you guys insert (no offence, keep up the good work ;) ) comes across as unprofessional.

Security and privacy is important to both our customers and mental health professionals. That is why we appeal to all of you to help us out in our quest to become the mosts secure and privacy-friendly platform in Belgium for mental health professionals.

We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed!
We are specifically looking for

  • Theft of sensitive data
  • Unauthorized modification or deletion of sensitive data
  • Access to each others online consults
  • Engage with clients or professionals with a spoofed identity
  • Horizontal / vertical privilege escalation
  • Give yourself administrator priviledges
  • SQLi
  • ...

See FAQ for how to access the application

Please do not use the following methods:

  • Bruteforce -> Password / Username bruteforce

Important note
In case of an SQLi only execute sleep() or printout the current version of the database

Out of scope

Out of scope actions & Domains

All other domains outside of the ones listed above are out of scope.

Application

  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, ..)
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Subdomain takeover without taken over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

Exceptional

  • Access to all customer personal data
  • RCE (Remote Code Execution)

Critical

  • SQL injection

High

  • Stored XSS without user interaction
  • Privilege escalation
  • Authentication bypass on critical infrastructure

Medium

  • XSS
  • CSRF with a significant impact

Low

  • XSS that requires lots of user interaction ( > 3 steps)
  • CSRF with a very limited impact
FAQ

Where can we get credentials for the app?

You can self-register on the application (https://staging.bloomup.org) but please don’t forget to use your @intigriti.me address.
For postcodes: Entered postcodes are checked against a list of existing postcodes in Belgium (4 digits, ranging from 1000 - 9992), so only existing postcodes are accepted.
An example address is: Weststraat 129, 8370.

If you choose to register as a professional, please let Intigriti support know, so they can ask us to verify your account.

The application is only available in Dutch.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
89
average payout
N/A
accepted submissions
26
total payouts
€0
Last 90 day response times
avg. time first response
< 16 hours
avg. time to decide
< 6 days
avg. time to triage
< 2 days
Activity
12/2
Bloomup
closed a submission
12/1
Bloomup
closed a submission
11/30
logo
created a submission
11/29
Bloomup
closed a submission
11/27
logo
created a submission
11/25
logo
created a submission
11/22
logo
created a submission
11/21
logo
created a submission
11/9
Bloomup
closed a submission
11/8
Bloomup
closed a submission