We are looking to find security problems in our website, our apps and world-facing APIs, exploitable with a Crisp account or without an account at all. Broadly speaking, this includes any improper manipulation of our business logic and backend software. A non-exhaustive list of examples:
- Any manipulation of pricing/discount logic that allows for getting substantially discounted or free orders.
- Leaks of other users' data than the user accessing the app.
- The ability to claim invite/promotional codes improperly or multiple times.
- The ability to login as another customer without having credentials for that customer.
- Any SQL injection attacks achievable.
- Any path/filename manipulation attacks that allow backend files to be read or overwritten.
- XSS attacks on crisp.nl or in the app.
- Being able to login on crisp.kitchen.
- Remote code execution.
We commit to responding within 1 week to any identified problem(s).
🥞Our stack
Crisp runs a monolithic backend system. This includes the software that powers our logistics chain (e.g. purchasing products at suppliers, picking and packing items for customers into orders), but also the CMS for the 'public' part of the store (inputting promotional information, product information, managing customer interactions, etc.). Our backend service is written in PHP and Go, the management system itself is written in Javascript/Typescript and React.
Our customers shop through our mobile Android and iOS apps. The apps share a single React Native Javascript/Typescript code base.
Our application stack runs on servers hosted at Google Cloud.
- Customer-facing parts (such as crispapp.nl and (www.)crisp.nl) are accessible over a load balancer to a group of worker nodes on a VPC.
- Crisp-internal requests (such as to crisp.kitchen) are also distributed by a load balancer to a separate set of worker nodes running on the same VPC.
- The VPC is intentionally difficult to access from the internet: the only entry points are a bastion host (bastion.crisp.services) and the aforementioned load balancers (lb-back.crisp.services and lb-front.crisp.services).
👨🏫 Pointers
- Use our semi-hidden web build of the app instead of the native apps.
- Because customers never use this, client-side issues on this SPA are out-of-scope.
- Domains are used primarily for traffic shaping, and the backend is similar on most domains
- Related issues on different domains might be treated as duplicates.
- For crisp.kitchen, only the login page is currently in scope.
- If you are not located in the Netherlands, please use our office's postal + number address when registering: 1072RG/163.
- You can place an order (iDeal required) and cancel it through the app immediately afterwards: you will get a 100% refund the next day.
🥐 Swag & Rewards
We are happy to send our Crisp t-shirt or sweater to anyone that finds a High/Critical/Exceptional issue. Or for researchers based in the Netherlands, optionally a 50€ Crisp voucher.