//
Detail Updates Leaderboard
Description

CM.com is a listed company that provides Conversational Commerce services from its hybrid cloud platform with in-house developed software. CM.com’s customer base is spread over 118 countries, generating messages to more than 220 destinations. Customers include Tier 1 enterprises, government agencies, as well as small and medium sized enterprises. We offer API's for most of our products. You may find the documentation here: https://developers.cm.com

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
150
500
1,000
3,000
3,500
Tier 1
€150 - €3,500
Tier 2
100
350
750
2,500
3,000
Tier 2
€100 - €3,000
Tier 3
25
125
500
1,000
2,000
Tier 3
€25 - €2,000
Rules of engagement
Required
Not applicable
max. 2 requests /sec
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC’s on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)
Domains
tier
type
login.cm.com
Tier 1
URL

*.ticketing.cm.com

Tier 2
Wildcard

Login to your account and go to https://www.cm.com/en-gb/app/ticketing/
From here you can create tickets and much more!
Make sure to take a look at the user-side ticket store as well (https://store.ticketing.cm.com/..)

api.cm.com
Tier 2
URL
api.cmtelecom.com
Tier 2
URL

Some of the applications that are in our scope use our old api.
If you find a bug on this api and it is from a product that is in scope, it is valid.

cm.com/[locale]/app/*

Tier 2
Wildcard
cm.com/[locale]/register
Tier 2
URL
appmiral.com
Tier 3
URL
building-blocks.com
Tier 3
URL
cm.com/app/messagingtrial/
URL

An application that makes it possible for developers to do a limited test of sending messages using the CM.COM business messaging API.

What we would like to know is:

  • Can the application be exploited to allow sending more than the allowed number of messages?
  • Can the app be exploited to send to other recipients besides the whitelisted recipients?
Severity assessment

This programs follows Intigriti's contextual CVSS standard.

FAQ

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

I do not see the Ticketing application in the 9-dot-menu?

That's possible, you can find the appliction by going to https://www.cm.com/en-gb/app/ticketing/

How do I access the Mobile Marketing Cloud?

As of now we don’t proactively provide access to the MMC. You are allowed to request access, but the Security team has no influence in accepting your request.

Where do I find API documentation?

Taak a look at our developer portal!

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.