Highlighted
Public user profiles and projects
The names, descriptions, creation date, last modification date etc. of users and public projects are meant to be public, they are not considered to be sensitive. If information is not mentioned in the web application, it is not sensitive by default. Any information disclosure that does not contain PII or other information that cannot directly be used to cause harm to the company or its users, on endpoints mentioned below will be closed as out of scope.
This applies to
https://www.simscale.com/api/v1/projects/{username}
https://www.simscale.com/api/v1/projects/{username}/{projectname}
https://www.simscale.com/api/v1/users/{username}
https://www.simscale.com/wp-json/wp/v2/users
https://www.simscale.com/forum/users/{username}.json
- and other endpoints that disclose similar information as the above.
Third-party services and API key disclosure
SimScale integrates third-party services. This includes
Vulnerabilities in those services are out of scope.
Leaked/disclosed API keys for those services are out of scope.
Website (WordPress)
The SimScale website is based on the Open-Source software WordPress. Before creating a submission about the website please consider to validate your findings against the WordPress platform at https://wordpress.com/wordpress-free/ and to report it to their bug bounty program.
In general no bug bounty is payed for findings in the website, but we might consider to pay a bounty for severe findings.
WordPress username enumeration and disclosure (i.e. https://www.simscale.com/wp-json/wp/v2/users
) is out of scope.
Broken Links in articles and posts
Forum (Discourse)
The SimScale forum is based on the Open-Source software Discourse. Before creating a submission about the forum please consider to also validate your findings against the Discourse demo platform at https://try.discourse.org/ and to report it to their bug bounty program.
In general no bug bounty is payed for findings in the forum, but we might consider to pay a bounty for severe findings.
Forum user information disclosure (i.e. https://www.simscale.com/forum/users/{username}.json
) is out of scope.
Application
- API key disclosure without proven business impact
- Pre-Auth Account takeover/OAuth squatting
- Self-XSS that cannot be used to exploit other users
- CORS misconfiguration on non-sensitive endpoints
- Missing cookie flags
- Missing security headers
- Cross-site Request Forgery with no or low impact
- Presence of autocomplete attribute on web forms
- Reverse tabnabbing
- Bypassing rate-limits or the non-existence of rate-limits.
- Best practices violations (password complexity, expiration, re-use, etc.)
- Clickjacking without proven impact/unrealistic user interaction
- Sessions not being invalidated (logout, enabling 2FA, etc.)
- Tokens leaked to third parties
- Anything related to email spoofing, SPF, DMARC or DKIM
- Content injection without being able to modify the HTML
- Username/email enumeration
- Email bombing
- HTTP Request smuggling without any proven impact
- Homograph attacks
- XMLRPC enabled
- Banner grabbing/Version disclosure
- Same-site scripting
- Subdomain takeover without taking over the subdomain
- Arbitrary file upload without proof of the existence of the uploaded file
- Blind SSRF without proven business impact (pingbacks are not sufficient)
- Host header injection without proven business impact
General
- In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
- Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
- Spam, social engineering and physical intrusion
- DoS/DDoS attacks or brute force attacks
- Vulnerabilities that only work on software that no longer receive security updates
- Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
- Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
- Reports that state that software is out of date/vulnerable without a proof-of-concept
Out of scope domains
- Any domain that is not listed in the Domains section, is out of scope for this program