Description

Lansweeper is an IT asset management software provider helping businesses better understand, manage and protect their IT devices and network. Lansweeper helps customers minimize risks and optimize their IT assets by providing actionable insight into their IT infrastructure at all times, offering trustworthy, valuable, and accurate insights about the state of users, devices, and software.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
โ‚ฌ
150
350
1,500
3,500
6,000
Tier 1
โ‚ฌ150 - โ‚ฌ6,000
Tier 2
โ‚ฌ
100
250
750
1,500
2,500
Tier 2
โ‚ฌ100 - โ‚ฌ2,500
Tier 3
โ‚ฌ
50
125
250
500
1,000
Tier 3
โ‚ฌ50 - โ‚ฌ1,000
Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

Our promise to you

  • We will respond to reports as soon as possible
  • We are happy to respond to any questions, please use the button in the right top corner for this.

Your promise to us

  • Provide detailed but to-the point reproduction steps

  • Include a clear attack scenario. How will this affect us exactly?

  • Remember: quality over quantity!

  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)

  • Please do not discuss or post metadata about vulnerabilities or the company name without our consent.

  • Please do not register public CVEs without our consent

  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's ๐Ÿ˜‰)

  • The usage of Lansweeper licenses is only to be used for the purpose of ethical hacking, and not to manage your own IT estate.

Domains

Domain used during the two-way sync process between the local web console (on-premises software) and the cloud platform.

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

API used for integrations with our cloud platform (app.lansweeper.com).
More information about our API: https://docs.lansweeper.com/docs

The cloud Platform, this also includes lecstaticcontent.lansweeper.com

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

Internal backoffice portal for cloud platform
No authorisation will be given

Our cloud relay server connection using LsAgent. If the computers you're scanning do not have a direct connection to your Lansweeper installation, scanned LsAgent data can be sent to our relay server in the cloud.

Our LsAgent is a cross-platform scanning agent that can scan computers both inside and outside of your network. It automatically collects an inventory from the computer it's installed on and sends the data back to the Lansweeper installation, this can be done through our relay server in the cloud.

For this, you must enable relay access in your Lansweeper installation.
Scanned LsAgent data is sent securely over HTTPS (TLS 1.2) to the relay server in Microsoft Azure, where it is encrypted as well. Your Lansweeper scanning server can retrieve the scanned data from the relay server, after which it is deleted from the relay. In order to use the relay server, make sure outbound traffic is allowed on your Lansweeper scanning server. Specifically, the scanning server must be able to make an outbound connection to port 443 of lsagentrelay.lansweeper.com, the cloud relay server.

More information about LsAgent can be found on our website: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-lsagent-for-windows-linux-and-mac/ta-p/64473

The use of the relay server must explicitly be enabled in the Lansweeper web console. It is not enabled by default!

Demo site with demo data to test the cloud platform

Always use "intigriti.me" address for any web form

API for updating on-premise software

Lansweeper's technical documentation

Auth0 identitiy provider for cloud platform.
Always use "intigriti.me" address for any user account

The on-premises software is the latest available version on our website (www.lansweeper.com/changelog).

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

URL

Scanner to discover OT devices.

Always use "intigriti.me" address for any web form

Out of scope for this domain:
Store.lansweeper.com
www.lansweeper.com/forum
Third-party plug-ins (e.g. Pardot - CleverBridge - Botpress)

*.lansweeper.com

No bounty
Wildcard

Any other public-facing Lansweeper related URL

lsrunase2.0 and lsencrypt2.0

Out of scope
Other
URL
In scope

You can request your trial on our website: https://www.lansweeper.com/download/. With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

We refer to our embedded Whatโ€™s new section and our Notification center to be kept updated about the continuous evolution of our platform. You need to log in to our application to see those changes and notifications.

We plan to update our scope regularly so keep an eye on us or subscribe to our program to receive updates when we do!

IMPORTANT NOTES

  • See FAQ for product video, installation, credential and license information
  • Always use your intigriti.me email address, in case this is not respected, your submission will not be eligible for a bounty

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program Feedback Link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Out of scope domains

  • Third party services or plugins on the in-scope domains, such as:
    • hotjar
    • surveymonkey
    • Cleverbridge (Store.lansweeper.com)
    • Salesforce / Pardot
    • careers.lansweeper.com
    • www.lansweeper.com/forum
    • Old versions of the on-premises software
  • LsPush

Application

  • API key disclosure without proven business impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextualised cvss standard

FAQ

Where can we get credentials for the cloud application?

You can self-register on the cloud application but please donโ€™t forget to use your @intigriti.me address

How can I install the local Lansweeper installation?

You can download the installation right away from your trial (https://www.lansweeper.com/download/)

Where can we get a license key for the on-premise software?

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

Where can I get more information about the functionality of the applications?

https://www.lansweeper.com/cloud-platform/adp-onboarding-webinar/
https://vimeo.com/478464790/6dc99939b3 (set-up and synchronize assets)
https://www.lansweeper.com/kb-category/api/index.html
https://www.lansweeper.com/kb (mainly for on-prem software)

What is a site and an installation in the cloud applications?

When registering on the cloud application, you can create your own site(s) for your personal use, and add local Lansweeper installations (multiple are possible) to this site. Adding a local Lansweeper installation is explained in the ADP onboarding webinar (see above).

How can I use a different email address than "intrigiti.me" to test certain features such as SSO?

If you need to use an email address with a domain other than "intigriti.me" you must contact support explaining the reasons for using a different email address and the new one to use.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
414
average payout
โ‚ฌ261
accepted submissions
132
total payouts
โ‚ฌ27,375
Last 90 day response times
avg. time first response
< 3 days
avg. time to decide
+3 weeks
avg. time to triage
< 4 days
Activity
11/21
Lansweeper
closed a submission
11/14
Lansweeper
closed a submission
11/14
Lansweeper
closed a submission
11/13
logo
akash_raval
created a submission
11/13
logo
amahrou1
created a submission
11/12
logo
dexter404
created a submission
11/12
logo
shaurya1337
created a submission
11/12
Lansweeper
accepted a submission
11/9
logo
amahrou1
created a submission
11/9
logo
amahrou1
created a submission