⚠️ Do not delete the users / tenants described in this project nor change the password of these accounts ⚠️
We are happy to announce our first bug bounty program!
Help us find those critical and exceptional vulnerabilities, so we can adapt and get better. Remote code executions or data leaks are what we hope to cover.
Below we will have a few point which cover our whole platform scope, going from processing documents, to user Authentication/Authorization, user and company management and searching on data which was processed.
from a user perspective we have:
This shows us that there is a clear split between exposed services (API’s) and the documents processing pipeline. Also take note that the Ops UI is only used internally and is never exposed to a customer.
Our main priorities lie in testing that processing pipeline which comes close to the system, and the search, testing our schemas and logical segregation.
1. Processing flow -- all the info you need to get started with data
This demo will aid you into seting up an integration with a DMS (Document Management System like Google Drive, Sharepoint, …), where you possibly could inject some malicious things into documents from an external system.
We analyse and convert these documents with PDFBox (3.0.0-alpha3) and LibreOffice (7.4.1), after which we add the data to our persistence backend. (PostgreSQL).
What could go wrong:
- access to other tenants' data
- remote code execution
- whatever you can find to compromise our systems!
We are looking forward to see what your creativity can bring to
2. Search API (add-in)
Check out our search API, where you can, after injecting your documents through our processing pipeline, search results.
- How does it react to weird data your processed from documents?
- How does it handle input validation, are there some gaps?
Let us know!
3. Other services
Let us know what you can find on:
- our Auth flow
- our Ops dashboard and identity management, be it users or companies and integrations
- our Dashboard, where our customers can add an integration themselves
All in all, we wish to deliver better and more secure software (yes that marketing fluffiness is also something we strive for) and hope we can count on your help for this.
Keep us on our toes!