Description

At PDQ our mission is to make device management simple, secure, and pretty damn quick. We know how important the security of our products is. We're a bunch of former sysadmins ourselves. Every decision we make revolves around ensuring our products are safe to use for managing your devices, which is why we have a bug bounty program. It’s a true win-win: We improve the security of our products, and you reap the rewards.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
100
500
1,250
3,000
3,500
Tier 2
€100 - €3,500
Tier 3
50
325
625
1,000
1,250
Tier 3
€50 - €1,250
Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

Guidelines

  • Do not perform scans. Scanning is strictly prohibited.
  • Prioritize quality over quantity.
  • Provide detailed but to-the-point reproduction steps.
  • Include a clear attack scenario and a step-by-step guide in the PoC.
  • Don’t discuss bugs before we fix them.

Safe harbor for reasearchers
PDQ considers ethical hacking conducted following the established guidelines to constitute authorized conduct under criminal law. PDQ won't pursue civil action or file a complaint for accidental, good faith violations. Similarly, PDQ won’t file a complaint for circumventing its technological measures used to protect the scope as part of your ethical hacking.
If a third party initiates legal action against you and you have complied with the agreed upon terms, PDQ will verify your actions were conducted with our approval in compliance with our guidelines.

Requirements

  • An @intigriti.me email must be used when registering for any accounts while testing as a security researcher.

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the PDQ Terms of Use
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoCs on YouTube and Vimeo)

License management

  • Please destroy any licenses generated during your testing.

Disclaimer

PDQ reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (e.g. Iran, North Korea, etc.), such as the lists administered by the U.S. Department of the Treasury’s OFAC.

Domains

Production environment for SimpleMDM — please take care not to disrupt any services when testing

Test environment for our authentication tool

Test environment for our Package Library

Test environment for PDQ Connect

Test environment for our billing portal

https://*.pdq.com/

Out of scope
Wildcard

https://*.simplemdm.com/

Out of scope
Wildcard

https://*.smartdeploy.com/

Out of scope
Wildcard

Test environment for PDQ Detect

In scope

With this project, we aim to test and increase the security of our cloud environment. At the moment, this excludes our on-prem software, PDQ Deploy & Inventory and SmartDeploy.
Our worst-case scenarios are:

  • Connect
    • Authentication bypass
    • Customer data exfiltration
  • Package Library
    • Data tampering
  • SimpleMDM
    • Authentication bypass
    • Customer data exfiltration
    • Device hijacking
    • Device impersonation
  • Portal
    • PCI leaks
    • Customer data exfiltration
    • License abuse
  • Authentication
    • Privilege escalation
    • Authentication bypass

Feedback

Would you like to help us improve our program, or do you have some feedback to share? Please send your anonymous feedback via our program feedback form.
Please note that we'll check this form periodically, and it should not be used for submission or support queries.

Out of scope

Application

  • Arbitrary file upload lacking proof of the existence of the uploaded file
  • Blind SSRF with no proven business impact (pingbacks do not suffice)
  • CORS misconfiguration on nonsensitive endpoints
  • Clickjacking without proven impact or with unrealistic user interaction
  • Content injection without ability to modify the HTML
  • Cross-site request forgery with little to no impact
  • Email bombing
  • Email spoofing, SPF, DMARC, DKIM, or related anything related
  • HTTP request smuggling without proven impact
  • Host header injection lacking proven business impact
  • Missing cookie flags
  • Missing security headers
  • Not stripping metadata of files
  • Pre-auth account takeover & OAuth squatting
  • Presence of autocomplete attribute on web forms
  • Same-site scripting
  • Self-XSS unusable to exploit other users
  • Verbose messages, files, and directory listings without disclosing sensitive information
  • Violations of best practices (password complexity, expiration, reuse, etc.)
  • XMLRPC enabled

General

  • Attacks requiring physical access to the target computer/device, machine-in-the-middle, or compromised user accounts
  • Brute force attacks
  • DoS/DDoS attacks
  • Issues that would require complex end-user interactions for exploitation
  • Recently discovered zero-day vulnerabilities found within 14 days of the public release of a patch or mitigation (these may be reported but are usually ineligible for a bounty)
  • Reported vulnerabilities already known to PDQ from our own tests (will be flagged as a duplicate)
  • Reports that software is out of date/vulnerable without a proof of concept
  • Spam, social engineering, and physical intrusion
  • Theoretical security issues that are not realistically exploitable
  • Vulnerabilities that only work on end-of-life software

Infrastructure

  • Open ports without proof of concept demonstrating a vulnerability
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch is available or a patch was released less than 2 weeks ago
    • Like everyone, we need time to patch our systems — please give us 2 weeks before reporting these types of issues
  • SSL/TLS scan reports and weak/expired SSL configurations
    • Output from sites like SSL Labs
Severity assessment

We use our contextual CVSS standard, using CVSSv3 as a scoring system and applying a business impact modifier if needed.

FAQ

How do I test purchases?

For completing test purchases we ask that you use an approved test card.

How do I sign up for a test account for your products?

Use your @intigriti.me email to sign up for a trial account for any of our products by visiting the site listed for that product.
For our authentication service, you can sign up for a staging account here.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
193
average payout
€652
accepted submissions
46
total payouts
€26,075
Last 90 day response times
avg. time first response
< 3 days
avg. time to decide
+3 weeks
avg. time to triage
< 3 days
Activity
12/17
PDQ
closed a submission
12/13
logo
rfcyborg
created a submission
11/11
PDQ
closed a submission
11/10
logo
kumaratul_21
created a submission
10/29
PDQ
closed a submission
10/28
PDQ
accepted a submission
10/26
logo
zuhaibpanhwar
created a submission
10/21
PDQ
closed a submission
10/18
logo
agnel123
created a submission
10/17
PDQ
changed the faq