auth.ccm.net - Oauth for community sites CCM Benchmark Group is a french online media. We run a network with more than 40 sites in 13 languages, about high-tech, news, health, economy and more. We have more than 50 millions of visitors monthly. Our properties include www.commentcamarche.net, ww

Informations

50€ Minimum bounty

Reports Accepted 15

Reward types : Bounty Gift Hall Of Fame

Rules

CCM Benchmark Group

CCM Benchmark Group is a french online media. We run a network with more than 40 sites in 13 languages, about high-tech, news, health, economy and more. We have more than 50 millions of visitors monthly.

Even if don’t store any serious personal info, we take the security very seriously. That’s the reason we are trying to challenge our code and want to reinforce our practices.

The current program is about our authentication system, used on our community websites.

Scope

The scope of this program includes the following url :

Any bug reported on multiple subdomains of ccm.net will be considered as a unique bug.

Report security vulnerability

If you believe you have discovered a security vulnerability in a CCM Benchmark website, please report it with a thorough explanation of the vulnerability. Please remember to include full details of the security issue, including Proof-of-Concept URL, the details of the system where the tests were conducted when needed and detailed reproduction steps. Your report must be reproducible to be considered as valid.

Non-Qualifying Vulnerabilities

The following vulnerabilities are excluded of all our programs:

  • Logout CSRF
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of non supported browsers or platform
  • Social engineering
  • Any physical attempts against CCM Benchmark Group property or data centers
  • D(d)os
  • Vulnerability on third party software or network (like any CDN we use)
  • Issues with no security impact
  • Lack of encryption on any domain but auth.ccm.net
  • Self-XSS
  • Any issue not related to application itself

Applicable rules

  • You must make good faith effort to avoid any data destruction, interruption or degradation of any of CCM Benchmark Group services,
  • You must agree and comply to our program rules,
  • You must be the first person to disclose a vulnerability,
  • You must not publicly disclose any vulnerability,

  • You must not violate any local, state, national or international law.

Browsers supported

  • Chrome 52 +
  • Firefox 43 +
  • Safari (on mac os and iOs)
  • Internet Explorer >= 10

Rewards

CCM Benchmark Group will give some rewards at our discretion for a serious and reproductible vulnerability. You are responsible for any applicable taxes associated with any reward you receive. Any report that result in a change on our codebase will be rewarded, at minimum, by a 50€ reward and a Hall of Fame recognition.

Please note that we may modify the terms of this program or terminate it at any time.

History

2018-02-28: Program openning
2017-10-25: Program openning privately

Hall Of Fame
Thanks to the following hunters for reporting important security issues.
  • Rbcafe
    #1
  • kuromatae
    #2
  • naveenrudrappa
    #3
  • peacemindlav
    #4
  • kistimat
    #5
  • doom_trooper
    #6
  • IzemaghiIas
    #7
  • SaxX
    #8
  • Root0401
    #9
  • Sajibekanti
    #10
  • Nicknam3
    #11
  • Ahtisham
    #12
  • djamel-ghorab
    #13
  • 5P3C73R
    #14
  • sreeju_kc
    #15
  • t3xy45
    #16
  • QasimMunir
    #17
  • BZHash
    #18
  • veeboy
    #19
  • gamblur
    #20
  • bastianwelfrid
    #21
  • malexplore
    #22
  • skp
    #23
  • myloginisfun
    #24
  • Hacker2202
    #25