By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

This remains at the discretion of Aikido Security BV to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Aikido Security BV to award.

Tier 1 (vulnerabilities in firewall)

We follow Intigriti's contextual CVSS standard.

Tier 2 (bypasses of vulnerability detection)

Aikido's Node.js agent general severity assessment table

For bypasses of vulnerability detection, severity is determined on a case-by-case basis. The following table provides a general overview on what to expect for each bypass:

Notes:

• Shell injection bypasses are currently out-of-scope as we are working on a new approach for detecting these type of vulnerabilities.

Aikido's Python agent general severity assessment table

Notes:

• SQL injection and shell injection bypasses are currently out-of-scope as we are working on a new approach for detecting these type of vulnerabilities.
• SSRF bypasses are currently out of scope as we're working hard to fix the existing issues in the backlog. Stay tuned for an update. We'll soon put it back into scope.
• As for missing sources: we still have a backlog of frameworks we want to support in the upcoming future. For this reason, we are only interested in potential missing sources within the frameworks we currently support (Flask, Django, Quart).

Some crucial factors which determine the severity are:

• in case of a missing sink or source, how popular/common a sink/source is (which could usually be determined based on a GitHub code search)
• whether the bypass is only possible in limited cases (for example, a bypass which is only possible in an UPDATE SQL query)
• the impact of the bypass (for example, path traversal bypasses have a lower reward than a SQL injection bypass)

Bypasses which only work on Windows or macOS environments may be lower in severity, since web services are not commonly deployed on those.

Tier 3 (false positives of vulnerability detection)

We're also interested in cases where we falsely block requests from the user, while the user input is safely encapsulated. We've made the bounties simple on purpose for those cases, so you are aware what to expect.

Issues in this Tier will be awarded on a case-by-case basis and depends mostly on:

• how common the false positive may be (for instance, if you catch a false positive with a commonly used SQL query operator like SELECT, the award will be on the higher end, since such queries may be executed on almost every page you visit as an user).
• if it has environmental constraints (e.g. only possible with a certain DBMS).

Difference between the tiers

All tiers have the same scope. There is a difference in bounties based on the following:

• Tier 1: actual vulnerabilities in the firewall
• Tier 2: bypasses of our detection (this doesn't directly expose a security risk, but improves our security product)
• Tier 3: false positives of our detection (this doesn't directly expose a security risk as well, but improves our security product)

How do I install firewall-node?

See https://github.com/AikidoSec/firewall-node/tree/main?tab=readme-ov-file#installation, and follow the instructions for Express.js based apps.

Ensure you set the environment variable AIKIDO_BLOCKING to true when launching your app. This ensures that you get immediate feedback during testing if your attack is blocked.

We recommend you to install firewall-node with any of the Express.js sample apps or with a DVWA like NodeGoat.

How do I install firewall-python?

You can install firewall-python directly from PyPi. Ensure you set the environment variable AIKIDO_BLOCKING to true when launching your app. Setting AIKIDO_DEBUG to true may be useful as well.

You can use one of the sample apps as starting point: https://github.com/AikidoSec/firewall-python/tree/main/sample-apps. The Dockerfile contains instructions to build aikido_firewall, so you don't have to do it yourself.

Do I need to create an Aikido account to test the firewall?

No, you don't. Zen can be used without an Aikido account. An account is only needed when you want to report issues to your Aikido dashboard, but any reporting functionality is not in scope for the time being.

Do you offer a live Damn Vulnerable Web Application (DVWA) to test for bypasses?

We are considering it for future iterations, but for now, we recommend you to install Firewall with a project like OWASP NodeGoat. This would also allow you to use the debugger, which could help with understanding and testing the detection logic.

Beyond NodeGoat, you could also use some of our sample apps: https://github.com/AikidoSec/firewall-node/tree/main/sample-apps (Node.js) or https://github.com/AikidoSec/firewall-python/tree/main/sample-apps (Python). As an alternative, you can also write some vulnerabilities yourself.