Guidelines

• Do not perform scans. Scanning is strictly prohibited.
• Prioritize quality over quantity.
• Provide detailed but to-the-point reproduction steps.
• Include a clear attack scenario and a step-by-step guide in the PoC.
• Don’t discuss bugs before we fix them.

Safe harbor for reasearchers
PDQ considers ethical hacking conducted following the established guidelines to constitute authorized conduct under criminal law. PDQ won't pursue civil action or file a complaint for accidental, good faith violations. Similarly, PDQ won’t file a complaint for circumventing its technological measures used to protect the scope as part of your ethical hacking.
If a third party initiates legal action against you and you have complied with the agreed upon terms, PDQ will verify your actions were conducted with our approval in compliance with our guidelines.

Requirements

• An @intigriti.me email must be used when registering for any accounts while testing as a security researcher.

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the PDQ Terms of Use
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoCs on YouTube and Vimeo)

License management

• Please destroy any licenses generated during your testing.

Disclaimer

PDQ reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (e.g. Iran, North Korea, etc.), such as the lists administered by the U.S. Department of the Treasury’s OFAC.

With this project, we aim to test and increase the security of our cloud environment. At the moment, this excludes our on-prem software, PDQ Deploy & Inventory and SmartDeploy.
Our worst-case scenarios are:

• Connect
  • Authentication bypass
  • Customer data exfiltration
• Package Library
  • Data tampering
• SimpleMDM
  • Authentication bypass
  • Customer data exfiltration
  • Device hijacking
  • Device impersonation
• Portal
  • PCI leaks
  • Customer data exfiltration
  • License abuse
• Authentication
  • Privilege escalation
  • Authentication bypass

Feedback

Would you like to help us improve our program, or do you have some feedback to share? Please send your anonymous feedback via our program feedback form.
Please note that we'll check this form periodically, and it should not be used for submission or support queries.

Application

• Arbitrary file upload lacking proof of the existence of the uploaded file
• Blind SSRF with no proven business impact (pingbacks do not suffice)
• CORS misconfiguration on nonsensitive endpoints
• Clickjacking without proven impact or with unrealistic user interaction
• Content injection without ability to modify the HTML
• Cross-site request forgery with little to no impact
• Email bombing
• Email spoofing, SPF, DMARC, DKIM, or related anything related
• HTTP request smuggling without proven impact
• Host header injection lacking proven business impact
• Missing cookie flags
• Missing security headers
• Not stripping metadata of files
• Pre-auth account takeover & OAuth squatting
• Presence of autocomplete attribute on web forms
• Same-site scripting
• Self-XSS unusable to exploit other users
• Verbose messages, files, and directory listings without disclosing sensitive information
• Violations of best practices (password complexity, expiration, reuse, etc.)
• XMLRPC enabled

General

• Attacks requiring physical access to the target computer/device, machine-in-the-middle, or compromised user accounts
• Brute force attacks
• DoS/DDoS attacks
• Issues that would require complex end-user interactions for exploitation
• Recently discovered zero-day vulnerabilities found within 14 days of the public release of a patch or mitigation (these may be reported but are usually ineligible for a bounty)
• Reported vulnerabilities already known to PDQ from our own tests (will be flagged as a duplicate)
• Reports that software is out of date/vulnerable without a proof of concept
• Spam, social engineering, and physical intrusion
• Theoretical security issues that are not realistically exploitable
• Vulnerabilities that only work on end-of-life software

Infrastructure

• Open ports without proof of concept demonstrating a vulnerability
• Recently disclosed zero-day vulnerabilities in commercial products where no patch is available or a patch was released less than 2 weeks ago
  • Like everyone, we need time to patch our systems — please give us 2 weeks before reporting these types of issues
• SSL/TLS scan reports and weak/expired SSL configurations
  • Output from sites like SSL Labs

We use our contextual CVSS standard, using CVSSv3 as a scoring system and applying a business impact modifier if needed.

How do I test purchases?

For completing test purchases we ask that you use an approved test card.

How do I sign up for a test account for your products?

Use your @intigriti.me email to sign up for a trial account for any of our products by visiting the site listed for that product.