FREEPIK VDP - Bug Bounty Program

Description

Freepik’s mission is to push the boundaries of artificial intelligence to empower creativity worldwide. We are developing cutting-edge AI projects that reimagine how people create, design, and interact with visual content, making creativity more accessible, faster, and smarter. While innovation is at the core of what we do, we also recognize the importance of building securely. We value the work of the security research community in making the internet a safer place. Although our dedicated team applies the best security practices to prevent potential vulnerabilities, we want to open the door for the community to contribute to this effort.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement

@intigriti.me

Required

User agent

Not applicable

Automated tooling

max. 10 requests /sec

Request header

Not applicable

By participating in this program, you agree to:

Respect the Community Code of Conduct
Respect the Intigriti Terms and Conditions
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

SLA internally

We will validate all submissions within the below timelines (once your submission has been verified by Intigriti):

Exceptional: 5 working days
Critical: 5 working day
High: 7 working days
Medium: 7 working days
Low: 7 working days

Working days = Mon-Fri, 9am-5pm
Saturday, Sunday, and public holidays: closed

Safe harbour for researchers is applied

Assets

Freepik

Tier 2

Other

API

Cloud Hacking

Mobile Hacking

Network / Infrastructure

Web Hacking

Source Code Review

Only assets directly related to the company are considered in-scope.

In scope

Our worst-case scenarios are:

SQL Injection
RCE
Account Takeover without third party interaction

Additional Information:

Make a good faith effort to avoid privacy violations, destruction of data, and interruption
or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope

Highlighted

CORS misconfigurations on contributor.flaticon.com
Open Redirect in Salesforce endpoints
Buy of educational account instead of normal ones
Leaks from databases external to freepik that do not contain passwords of company workers
Race Condition related to Downloads of generate AI content

Application

API key disclosure without proven business impact
Pre-auth account takeover / oauth squatting
Self-XSS that cannot be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery (CSRF) with no or low impact
Cross-Site Request Forgery (CSRF) when targeted to a single user, where the payload
needs to include a userID, document ID, or similar
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking on pages with no sensitive actions
CSV Injection
Blind SSRF without proven business impact (DNS pingback only is not sufficient)
Disclosed and/or misconfigured Google API key (including maps)
Host header injection without proven business impact
Sessions not being invalidated (logout, enabling 2FA, ..)
Hyperlink injection/takeovers
Mixed content type issues
Cross-domain referer leakage
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection
Username / email enumeration
E-mail bombing
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing / Version disclosure
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Weak SSL configurations and SSL/TLS scan reports
Not stripping metadata of images
Disclosing API keys without proven impact
Same-site scripting
Subdomain takeover without taken over the subdomain
Arbitrary file upload without proof of the existence of the uploaded file
Previously known vulnerable libraries without a working Proof of Concept
Missing best practices in Content Security Policy (CSP)
Session invalidation at reset password
Descriptive error messages or headers (e.g. stack traces, application or server errors)

General

In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
Reports that state that software is out of date/vulnerable without a proof-of-concept

Severity assessment

This program follows Intigriti's triage standards

FAQ

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics

No collaboration

Researchers

last contributors