Cryptobox Bug Bounty Ercom is a reference French company with 30 years of combined expertise in two key areas: cybersecurity and communication networks.

Informations

100€ Minimum bounty

Reports Accepted 20

Reward types : Bounty Gift Hall Of Fame

Rules

The program is suspended from 16/12/2017 to 15/01/2018.
During this period, we will deal with all outstanding reports as well as the preparation of a pleasant surprise for the reopening of the program.
Regards,

What is Cryptobox?

Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption. You can securely access your documents from any device, control your data and costs with a scalable architecture and a patented security solution. Cryptobox can be deployed on premises, in the cloud, in a hybrid model depending on customer architecture requirements.

Security

Cryptobox is undergoing a CC-EAL3+ evaluation to assess its security. Ercom is convinced that working with skilled security hunters around the globe is a relevant complementary process to achieve a high security level.

Objective

The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of Cryptobox users’ information. The Cryptobox Security Target describes precisely assets protected by Cryptobox. Submissions will be evaluated in regards to the impact of uncovered vulnerabilities to these assets.

Rules

What hunters must do

  • All our program rules must be agreed and complied by hunters.
  • Hunters must be the first person to disclose a vulnerability
  • All tests shall be done following the processes set by https://bountyfactory.io.
  • Ercom provides a test platform for vulnerability assessment at https://bounty.cryptobox.fr. This is the only system that shall be challenged.
  • Each hunter has two accounts (one with owner privilege and one with reader privilege) onto the Cryptobox platform. Each hunter must give two email addresses for Cryptobox’s account creation.
  • Hunters must use their own account to test vulnerability of the platform.
  • Once enrolled in the program with bountyfactory.io, hunters can apply for a user account on https://bounty.cryptobox.fr, following the sign-up process. They will be able to access the Cryptobox Security Target document and Cryptobox Windows’s application.
  • Instant messaging of the new version (V3.5) is now in the scope of this program .

What hunters must not do

  • Tests conducted otherwise than described in https://bountyfactory.io will not receive any reward, and will be deemed illegal.
  • Hunters must not violate any local, state, national or international law.
  • Denial of Service vulnerabilities will not be rewarded, and no such attacks shall be performed. Also, all brute force attacks online shall be avoided.
  • Testing any other system than https://bug-bounty.cryptobox.fr, in particular *.cryptobox.com or *.ercom.com is illegal.
  • Hunters shall not use more than 1 GB / account.
  • Attack another hunter's account is not allowed.
  • Social engineering attacks are not allowed. In particular, guessing another user’s or administrator’s password is not considered as a vulnerability.
  • All documents provide to the hunters are currently confidential and shall not be disclosed.
  • Hunters shall not publicly disclose the bug until Ercom has confirmed the bug is fixed. Even then they shall not make exploits publicly available unless required by law or with Ercom’s written permission.

The following known points will no longer yield rewards:

  • It is possible for an un-authenticated user to test that an account exists on the server.
  • The product does not have protection against actions taken “in number” by users (sharing by email, file upload, creation of spaces, simultaneous requests…).
  • Client applications remain connected without time limit.

Browser supported

  • Chrome v 56 and upper
  • Firefox v 51 and upper

Application supported

  • CryptoBox for Android (available on Play store)
  • CryptoBox for Windows (available on each hunters Cryptobox account)
  • Cryptobox for iOS (available in the Apple store)

Rewards

Ercom will pay rewards at Ercom’s discretion for a serious and reproducible vulnerability. Hunters are responsible for any applicable taxes associated with any reward you receive. Any report that results in a change in our code base will be rewarded, at minimum, by a €100 reward and a Hall of Fame recognition.

How to connect onto Crytpobox?

Please Contact us to this email: Support-Bug-Bounty@cryptobox.com.

Give us two different email addresses for creation of your two Cryptobox accounts.

To let us check your identity, please give us into the mail your hunter’s pseudo.

After the delivery of your two addresses, we send you an email on each address to give you the possibility to subscribe onto the platform.

Please chose as Trustee the mail address Support-Bug-Bounty@cryptobox.com. This is the only possibility to reactivate a password if you forgot yours.

After your subscription, we allocate your two accounts into a workspace (workspace name is your hunter pseudo).

Each account has specific right (one Reader and one Owner).

If you want to invite a new member into your workspace please use this email test.bugbounty.cryptobox@gmail.com and inform our support team at Support-Bug-Bounty@cryptobox.com.

Please note that we may modify the terms of this program or terminate it at any time.

History
-------------
12/10/2017 : Add Instant messaging of the new version (V3.5) and Cryptobox for iOS in the scope

Hall Of Fame
Thanks to the following hunters for reporting important security issues.
  • ProXy
    #1
  • enstase
    #2
  • brdoors
    #3
  • virtu
    #4
  • BZHash
    #5
  • SaxX
    #6
  • Spade
    #7
  • onemore
    #8
  • Rbcafe
    #9
  • sreeju_kc
    #10
  • JAIMAADURGA
    #11
  • 0xMitsurugi
    #12
  • sagittarius-a
    #13
  • Mahmoud0x00
    #14
  • Nozz
    #15
  • notfound
    #16
  • kiddie
    #17
  • japzdivino
    #18
  • nullenc0de
    #19
  • monish
    #20