Personio is Europe's leading HR Software for SMEs - your one-stop HR solution with automated processes, seamless integrations, and data-driven insights. Our Security Team knows that a solid Bounty Program helps build customer trust in our platform. So we are looking forward to working with you to help hold our platform up to the highest of standards.
When reporting a vulnerability, please do your best to explain the vulnerability using clear, reproducible steps, which will help us validate the vulnerability as quickly as possible. Reports with a clear proof of concept, especially videos, are usually higher quality, which allow Personio to reproduce and fix vulnerabilities quicker, and that is why we will also be rewarding researchers submitting high quality reports additional amounts when deemed appropriate.
It is recommended for researchers to follow the following process for our community platform so as to avoid spamming regular user. Any activity not within the following parameters will not be considered a valid submissions:
Step 1:
Go to 🇪🇺 https://community.personio.com or 🇩🇪https://community.personio.de
Step 2:
If you have an account, click on 🇪🇺 Log in or 🇩🇪Einloggen to log in.
If you don’t have an account yet, Click on Sign up or Registrieren in the Menu Bar to sign up
Step 3:
Click on 🇪🇺 Ask the Community or 🇩🇪Frag’ die Community to publish a new thread / post.
Step 4:
When publishing your post, select the Category: "Hacking Playground" which has been setup specifically for Intigriti researchers
If you just signed up and cannot see it yet, please wait a couple minutes then refresh.
If you still cannot see it, please contact community@personio.de for assistance.
As a result, your post will land in the Hacking Playground Area.
🇪🇺https://community.personio.com/hacking-playground-156 or 🇩🇪https://community.personio.de/hacking-playground-243
Please see FAQ for creation instructions
We are happy to announce our first bug bounty program! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed!
We are specifically looking for the following issues:
A word on tiers:
Tier 1 and Tier 2 assets are similar to what you can find in other bug bounty programs. The goal of Tier 3 is to motivate researchers to submit things that could harm Personio, even if they are not explicitly in the URLs listed in the other tiers. Although there are minimum bounties for the Exceptional and Critical severities, our goal for this tier is to reward using an impact-based approach, and we can bump the payout with bonuses if the impact of the reported vulnerability is extraordinary.
Include:
Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.
This program follows Intigriti's contextual CVSS standard.
Here are some examples of vulnerabilities and how we match them to criticalities by applying the business modifier.
Exceptional
Critical
High
Medium
Low
Testers must create their own instances according to the format below using Trial instances at https://www.personio.com/free-trial/. The environments come preloaded with realistic user data and will be registered with the actual tester’s email address in advance of any bounty activity. Trial accounts are limited to a 14 day trial period and new accounts need to be created when these expire.
Register with your @intigriti.me address
Make sure you name your company in format: sec-test-<intigriti handle>-<nn>. This way, your own instance will have the following naming format for its URI: https://sec-test-<intigriti handle>-<nn>.personio.de/.
For example, if your researcher handle is tom55, you can name your company sec-test-tom55-01 to sec-test-tom55-99.
After creating a trial account, your account might be in German or another language you might not understand. This can easily be changed by following the instruction in this documentation page: https://support.personio.de/hc/en-us/articles/360004896117-How-do-I-change-the-language-of-my-Personio-account
For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.
It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.
