80€ Minimum bounty
Reports Accepted 13
Reward types : Bounty Gift Hall Of Fame
Founded in 2010, strategic partner to Dassault Systèmes and CMSP Advanced certified by Cisco Systems, Outscale provides enterprise-class Cloud Computing services (IaaS) that meet regulatory and local requirements internally. Outscale offers solutions to clients that are seeking to boost Business Agility and rapidly deploy value-enhancing business models. Investing 15% of revenues in R&D, from the very beginning, Outscale is commited to offer services that combine excellence and thoroughness, which have won over more than 800 corporate clients in France, USA, and China, as well as several hundred users working for the well-known multinationals via Dassault Systèmes. Outscale has received ISO security certification 27001-2013 for all its French locations.
Outscale develops its own Cloud orchestrator,TINA OS, with strong security requirements and provide many additional product around this infrastructure.
The scope of this bounty is focused on the IaaS API service of the eu-west-2 region. The service is available at https://fcu.eu-west-2.outscale.com. Other subdomains on outscale.com are not concerned by this bounty. You can find documentations here:
This API is compatible with Amazon Web Services EC2 standard. As a result, the parameters, return, provided service must have the same comportment.
The point of focus on the vulnerability must be on confidentiality, integrity, and traceability. The availability of the scope is not covered by this bounty (no denial of services is allowed). Only exploitable vulnerability are covered. A proof of concept must be provided regarding the vulnerability in the report.
Customers with cloud resources are not concerned by this bounty. Snapshots and images provided by Outscale are not concerned, either.
Security issues inside the Outscale cockpit are not inside the perimeter.
Keep in mind this is a production environment,no data alteration are allowed inside Outscale infrastructure or on Outscale customer Cloud infrastructure, and, therefore,you mustn’t affect the availability of the platform.
- IPv6 security issue
- SSL known issue on API service
- Social engineering of Outscale employees and contractors
- Attack against Outscale office (malware, backdoor, DoS, …)
- Vulnerabilities which are already publicly known or variations of such
- Denial of service attacks
- Vulnerabilities on other product or service than Flexible Compute Unit
- Issues in our DNS and NTP
- Issues not leading to a confidentiality, traceability or integrity problem. You can report it to email@example.com. This can help you to have a better experience and help you in your research
- Same behavior as Amazon Web Services
Eligibility and Disclosure
- You must agree and comply to our Program rules
- You must not publicly disclose the vulnerability without our consentment
Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 5 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
|Low||0.1 - 3.9||Goodies|
|Medium||4.0 - 6.9||80 €|
|High||7.0 - 8.9||300 €|
|Critical||9.0 - 10.0||800 €|
Outscale will determine, in its discretion, whether a reward should be granted and the amount of the reward. In particular, we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a contest or competition.
Goodies could be resources on our IaaS (reduction on the invoice), which will help you to find higher vulnerabilities.
The registration process is outside of the scope of the bounty. If you want your account to be successfully created, you must provide correct information. The system will deny the registration if it detect abnormal information.
In case of problem, you can send a mail to firstname.lastname@example.org.