Our promise to you

• We will respond to reports as soon as possible
• We are happy to respond to any questions, please use the button in the right top corner for this.

Your promise to us

• Provide detailed but to-the point reproduction steps

• Include a clear attack scenario. How will this affect us exactly?

• Remember: quality over quantity!

• Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)

• Please do not discuss or post metadata about vulnerabilities or the company name without our consent.

• Please do not register public CVEs without our consent

• Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)

• The usage of Lansweeper licenses is only to be used for the purpose of ethical hacking, and not to manage your own IT estate.

You can request your trial on our website: https://www.lansweeper.com/download/. With this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.

We refer to our embedded What’s new section and our Notification center to be kept updated about the continuous evolution of our platform. You need to log in to our application to see those changes and notifications.

We plan to update our scope regularly so keep an eye on us or subscribe to our program to receive updates when we do!

IMPORTANT NOTES

• See FAQ for product video, installation, credential and license information
• Always use your intigriti.me email address, in case this is not respected, your submission will not be eligible for a bounty

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program Feedback Link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope domains

• Third party services or plugins on the in-scope domains, such as:
  • hotjar
  • surveymonkey
  • Cleverbridge (Store.lansweeper.com)
  • Salesforce / Pardot
  • careers.lansweeper.com
  • www.lansweeper.com/forum
  • Old versions of the on-premises software
• LsPush

Application

• API key disclosure without proven business impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

This program follows Intigriti's contextualised cvss standard

Where can we get credentials for the cloud application?

You can self-register on the cloud application but please don’t forget to use your @intigriti.me address

How can I install the local Lansweeper installation?

You can download the installation right away from your trial (https://www.lansweeper.com/download/)

Where can we get a license key for the on-premise software?

You can request your trial on our website: https://www.lansweeper.com/download/ but always use "intigriti.me" address for any user account

Where can I get more information about the functionality of the applications?

https://www.lansweeper.com/cloud-platform/adp-onboarding-webinar/
https://vimeo.com/478464790/6dc99939b3 (set-up and synchronize assets)
https://www.lansweeper.com/kb-category/api/index.html
https://www.lansweeper.com/kb (mainly for on-prem software)

What is a site and an installation in the cloud applications?

When registering on the cloud application, you can create your own site(s) for your personal use, and add local Lansweeper installations (multiple are possible) to this site. Adding a local Lansweeper installation is explained in the ADP onboarding webinar (see above).

How can I use a different email address than "intrigiti.me" to test certain features such as SSO?

If you need to use an email address with a domain other than "intigriti.me" you must contact support explaining the reasons for using a different email address and the new one to use.