Description

Lansweeper is an IT asset management software provider helping businesses better understand, manage and protect their IT devices and network. Lansweeper helps customers minimize risks and optimize their IT assets by providing actionable insight into their IT infrastructure at all times, offering trustworthy, valuable, and accurate insights about the state of users, devices, and software.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
150
350
1,000
2,500
5,000
Tier 1
€150 - €5,000
Tier 2
100
250
500
1,000
2,000
Tier 2
€100 - €2,000
Tier 3
50
125
250
500
1,000
Tier 3
€50 - €1,000
Rules of engagement
Required
Not applicable
max. 1 request/sec
Not applicable

Our promise to you

  • We will respond to reports as soon as possible
  • We are happy to respond to any questions, please use the button in the right top corner for this.

Your promise to us

  • Provide detailed but to-the point reproduction steps

  • Include a clear attack scenario. How will this affect us exactly?

  • Remember: quality over quantity!

  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)

  • Please do not discuss or post metadata about vulnerabilities or the company name without our consent.

  • Please do not register public CVEs without our consent

  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)

  • The usage of Lansweeper licenses is only to be used for the purpose of ethical hacking, and not to manage your own IT estate.

Domains

edge.lansweeper.com

Tier 1
URL

Domain used during the two-way sync process between the local web console (on-premises software) and the cloud platform.

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

api.lansweeper.com

Tier 2
URL

API used for integrations with our cloud platform (app.lansweeper.com).
More information about our API: https://docs.lansweeper.com/docs

app.lansweeper.com

Tier 2
URL

The cloud Platform, this also includes lecstaticcontent.lansweeper.com

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

backoffice.lansweeper.com

Tier 2
URL

Internal backoffice portal for cloud platform
No authorisation will be given

app.lansweeper.com/trial

Tier 3
URL

Demo site with demo data to test the cloud platform

Always use "intigriti.me" address for any web form

autoupdateapi.lansweeper.com

Tier 3
URL

API for updating on-premise software

docs.lansweeper.com

Tier 3
URL

Lansweeper's technical documentation

login.lansweeper.com

Tier 3
URL

Auth0 identitiy provider for cloud platform.
Always use "intigriti.me" address for any user account

on-premises software

Tier 3
URL

The on-premises software is the latest available version on our website (www.lansweeper.com/changelog).

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

OT scanner

Tier 3
URL

Scanner to discover OT devices.

www.lansweeper.com

Tier 3
URL

Always use "intigriti.me" address for any web form

Out of scope for this domain:
Store.lansweeper.com
www.lansweeper.com/forum
Third-party plug-ins (e.g. Pardot - CleverBridge - Botpress)

*.lansweeper.com

No Bounty
URL

Any other public-facing Lansweeper related URL

In scope

You can request your trial on our website: https://www.lansweeper.com/download/. With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

We refer to our embedded What’s new section and our Notification center to be kept updated about the continuous evolution of our platform. You need to log in to our application to see those changes and notifications.

We plan to update our scope regularly so keep an eye on us or subscribe to our program to receive updates when we do!

IMPORTANT NOTES

  • See FAQ for product video, installation, credential and license information
  • Always use your intigriti.me email address, in case this is not respected, your submission will not be eligible for a bounty

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program Feedback Link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Out of scope domains

  • Third party services or plugins on the in-scope domains, such as:
    • hotjar
    • surveymonkey
    • Cleverbridge (Store.lansweeper.com)
    • Salesforce / Pardot
    • careers.lansweeper.com
    • www.lansweeper.com/forum
    • Old versions of the on-premises software
  • LsPush

Application

  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextualised cvss standard

FAQ

Where can we get credentials for the cloud application?

You can self-register on the cloud application but please don’t forget to use your @intigriti.me address

How can I install the local Lansweeper installation?

You can download the installation right away from your trial (https://www.lansweeper.com/download/)

Where can we get a license key for the on-premise software?

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

Where can I get more information about the functionality of the applications?

https://www.lansweeper.com/cloud-platform/adp-onboarding-webinar/
https://vimeo.com/478464790/6dc99939b3 (set-up and synchronize assets)
https://www.lansweeper.com/kb-category/api/index.html
https://www.lansweeper.com/kb (mainly for on-prem software)

What is a site and an installation in the cloud applications?

When registering on the cloud application, you can create your own site(s) for your personal use, and add local Lansweeper installations (multiple are possible) to this site. Adding a local Lansweeper installation is explained in the ADP onboarding webinar (see above).

How can I use a different email address than "intrigiti.me" to test certain features such as SSO?

If you need to use an email address with a domain other than "intigriti.me" you must contact support explaining the reasons for using a different email address and the new one to use.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
260
average payout
€335
accepted submissions
85
total payouts
€20,400
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
+3 weeks
avg. time to triage
< 3 days
Activity
9/25
logo
created a submission
9/21
Lansweeper
closed a submission
9/20
logo
created a submission
9/20
Lansweeper
closed a submission
9/20
logo
created a submission
8/23
Lansweeper
closed a submission
8/23
Lansweeper
closed a submission
8/22
Lansweeper
accepted a submission
8/22
Lansweeper
accepted a submission
8/21
logo
created a submission