Description

Personio is Europe's leading HR Software for SMEs - your one-stop HR solution with automated processes, seamless integrations, and data-driven insights. Our Security Team knows that a solid Bounty Program helps build customer trust in our platform. So we are looking forward to working with you to help hold our platform up to the highest of standards.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
175
350
1,125
3,000
5,000
Tier 2
€175 - €5,000
Tier 3
50
100
450
1,000
2,000
Tier 3
€50 - €2,000
Rules of engagement
Required
Not applicable
max. 2 requests/sec
X-Intigriti-Username: {{intigriti username}}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Reporting vulnerabilities

When reporting a vulnerability, please do your best to explain the vulnerability using clear, reproducible steps, which will help us validate the vulnerability as quickly as possible. Reports with a clear proof of concept, especially videos, are usually higher quality, which allow Personio to reproduce and fix vulnerabilities quicker, and that is why we will also be rewarding researchers submitting high quality reports additional amounts when deemed appropriate.

Domains

*.personio-internal.de

Tier 2
Wildcard

*.personio.tools

Tier 2
Wildcard

https://*.personio.de

Tier 2
Wildcard

https://*.personiowhistleblowing.com

Tier 2
Wildcard

Please see FAQ for creation instructions

Out of scope
URL
URL
URL
URL
Out of scope
URL
Out of scope
URL
In scope

We are happy to announce our first bug bounty program! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed!

We are specifically looking for the following issues:

  • Cross Tenant Data Leakage / Access
  • RCE on Personio infrastructure
  • Personio Production database access
  • Personio Infrastructure access
  • Sensitive Personio company financial or customer information publicly available

A word on tiers:
Tier 1 and Tier 2 assets are similar to what you can find in other bug bounty programs. The goal of Tier 3 is to motivate researchers to submit things that could harm Personio, even if they are not explicitly in the URLs listed in the other tiers. Although there are minimum bounties for the Exceptional and Critical severities, our goal for this tier is to reward using an impact-based approach, and we can bump the payout with bonuses if the impact of the reported vulnerability is extraordinary.

Include:

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Out of scope domains

Application

  • API key disclosure without proven business impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Limited PII disclosure through uncommon Access Rights setup
  • Broken Access Controls setup in Conversations
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • HTML Injection that do not demonstrate a security impact
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextual CVSS standard.
Here are some examples of vulnerabilities and how we match them to criticalities by applying the business modifier.

Exceptional

  • Remote Code Execution
  • Access to AWS Keys

Critical

  • Access to all users or accounts
  • User-account or account takeover
  • Multi-tenant PII access

High

  • Stored XSS (only cross-tenant)
  • Access to one user or account
  • Privilege escalation within the same account with account take-over or similar (making yourself admin, gaining access to salary info, …)

Medium

  • Stored XSS (single-tenant)
  • Reflected Cross-Site scripting with no or limited (1 step) user interaction
  • Privilege escalation within the same account that exposes GDPR-protected data

Low

  • Reflected Cross-Site scripting with user interaction
  • Cross-Site scripting that does not work on either chrome, safari or internet explorer
  • Full path disclosure with limited information
FAQ

Where can we get credentials for the app?

Testers must create their own instances according to the format below using Trial instances at https://www.personio.com/free-trial/. The environments come preloaded with realistic user data and will be registered with the actual tester’s email address in advance of any bounty activity. Trial accounts are limited to a 14 day trial period and new accounts need to be created when these expire.

Register with your @intigriti.me address

Make sure you name your company in format: sec-test-<intigriti handle>-<nn>. This way, your own instance will have the following naming format for its URI: https://sec-test-<intigriti handle>-<nn>.personio.de/.

For example, if your researcher handle is tom55, you can name your company sec-test-tom55-01 to sec-test-tom55-99.

How can I change the app language to English?

After creating a trial account, your account might be in German or another language you might not understand. This can easily be changed by following the instruction in this documentation page: https://support.personio.de/hc/en-us/articles/360004896117-How-do-I-change-the-language-of-my-Personio-account

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
733
average payout
€415
accepted submissions
222
total payouts
€82,108
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 2 weeks
avg. time to triage
< 3 days
Activity
12/11
Personio
closed a submission
12/11
Personio
closed a submission
12/11
Personio
closed a submission
12/10
Personio
closed a submission
12/10
Personio
closed a submission
12/10
logo
aurangjeb786
created a submission
12/9
logo
mrfhacker
created a submission
12/8
logo
amirsec76
created a submission
12/8
logo
amirsec76
created a submission
12/8
logo
amirsec76
created a submission