We are looking to find security problems in our website, our apps and world-facing APIs, exploitable with a Crisp account or without an account at all. Broadly speaking, this includes any improper manipulation of our business logic and backend software. A non-exhaustive list of examples:
- Any manipulation of pricing/discount logic that allows for getting substantially discounted or free orders.
- Leaks of other users' data than the user accessing the app.
- The ability to claim invite/promotional codes improperly or multiple times.
- The ability to login as another customer without having credentials for that customer.
- Any SQL injection attacks achievable.
- Any path/filename manipulation attacks that allow backend files to be read or overwritten.
- XSS attacks on crisp.nl or in the app.
- Being able to login on crisp.kitchen.
- Remote code execution.
We commit to responding within 1 week to any identified problem(s).
Our application stack runs on servers hosted at Google Cloud.
- Customer-facing parts (such as crispapp.nl and (www.)crisp.nl) are accessible over a load balancer to a group of worker nodes on a VPC.
- Crisp-internal requests (such as to crisp.kitchen) are also distributed by a load balancer to a separate set of worker nodes running on the same VPC.
- The VPC is intentionally difficult to access from the internet: the only entry points are a bastion host (bastion.crisp.services) and the aforementioned load balancers (lb-back.crisp.services and lb-front.crisp.services).
- Use our semi-hidden web build of the app instead of the native apps.
- Because customers never use this, client-side issues on this SPA are out-of-scope.
- Domains are used primarily for traffic shaping, and the backend is similar on most domains
- Related issues on different domains might be treated as duplicates.
- For crisp.kitchen, only the login page is currently in scope.
- If you are not located in the Netherlands, please use our office's postal + number address when registering: 1072RG/163.
- You can place an order (iDeal required) and cancel it through the app immediately afterwards: you will get a 100% refund the next day.
🥐 Swag & Rewards
We are happy to send our Crisp t-shirt or sweater to anyone that finds a High/Critical/Exceptional issue. Or for researchers based in the Netherlands, optionally a 50€ Crisp voucher.