By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
• Current and former SimScale employees and contractors are not permitted to participate in this program.

Infrastructure notes

• We are hosting at AWS, so please take into account their penetration testing policy which you can find at https://aws.amazon.com/security/penetration-testing/
• We integrate 3rd-party closed-source software. Please be aware that we won't be able to fix all bugs internally but depend on other vendors.
• We provide compute resources, storage, and data transfer to our users. Please avoid excessive consumption of those resources.
• Please avoid creation of too many public projects and forum posts, or delete them after testing.

Our promise to you:

• We are happy to respond to any questions, please use the button in the right top corner for this.
• We will respond to reports within 2-3 days.

Focus areas

We'd like you to test our core product: The platform with it's web-based user interfaces and the APIs which are listed in the assets above.

• Everything around the user account, from registration, login (both via password or SSO), password change, API keys and in general the security of our web session handling.
• Management of projects, folders, spaces and the sharing settings.
• CAD upload and import.
• CAD editing.
• Simulation and mesh setup. The platform supports more than 15 simulation types, each contains hundreds of settings. This includes CSV upload, Formulas, and custom materials.
• Table and plot result download.
• The integrated graphical post-processor.

Beside the classic web application vulnerabilities (XSS, SQLi, RCE, etc.), we are especially interested in vulnerabilities that affect our customer's trust into our platform, such as:

• Access to private customer data (e.g. projects, CAD files, simulation results)
• Privilege escalation (both vertical and horizontal)
• Account takeover

Getting started

To get an impression of the functionality of the workbench we recommend to walk through one or more tutorials which are also available as video:

• Fluid Flow, 15 minutes video
• Structural Analysis, 15 minutes video

Highlighted

Intercom chat and support

Please don't interact with the Intercom chat and don't contact our support via email or phone. It's meant for user and customer support.

Public user profiles and projects

The names, descriptions, creation date, last modification date etc. of users and public projects are meant to be public, they are not considered to be sensitive. If information is not mentioned in the web application, it is not sensitive by default. Any information disclosure that does not contain PII or other information that cannot directly be used to cause harm to the company or its users, on endpoints mentioned below will be closed as out of scope.
This applies to

• https://www.simscale.com/api/v1/projects/{username}
• https://www.simscale.com/api/v1/projects/{username}/{projectname}
• https://www.simscale.com/api/v1/users/{username}
• https://www.simscale.com/wp-json/wp/v2/users
• https://www.simscale.com/forum/users/{username}.json
• and other endpoints that disclose similar information as the above.

Third-party services and API key disclosure

SimScale integrates third-party services. This includes

• Intercom chat
• Hubspot forms
• New Relic monitoring
• Geolocation APIs
• Google Maps
• and other services listed at https://www.simscale.com/data-privacy/.

Vulnerabilities in those services are out of scope.

Leaked/disclosed API keys for those services are out of scope.

Website (WordPress)

The SimScale website is based on the Open-Source software WordPress. Before creating a submission about the website please consider to validate your findings against the WordPress platform at https://wordpress.com/wordpress-free/ and to report it to their bug bounty program.

In general no bug bounty is payed for findings in the website, but we might consider to pay a bounty for severe findings.

WordPress username enumeration and disclosure (i.e. https://www.simscale.com/wp-json/wp/v2/users) is out of scope.

Broken Links in articles and posts

Forum (Discourse)

The SimScale forum is based on the Open-Source software Discourse. Before creating a submission about the forum please consider to also validate your findings against the Discourse demo platform at https://try.discourse.org/ and to report it to their bug bounty program.

In general no bug bounty is payed for findings in the forum, but we might consider to pay a bounty for severe findings.

Forum user information disclosure (i.e. https://www.simscale.com/forum/users/{username}.json) is out of scope.

Application

• API key disclosure without proven business impact
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• By-passing signup limits (plus email etc.)
• Bypassing rate-limits or the non-existence of rate-limits
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Out of scope domains

• Any domain that is not listed in the Domains section, is out of scope for this program

This program follows Intigriti's triage standards.

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

Where can we get credentials for the API?

API keys can be managed in the API keys page.

Can I test professional features like private projects, spaces, and commercial solvers?

Please request access via this form.