⚠️ Do not delete the users / tenants described in this project nor change the password of these accounts ⚠️
We are happy to announce our first bug bounty program! Help us find those critical and exceptional vulnerabilities, so we can adapt and get better.
Below, you can find a quick 5-minute setup guide to get you started from processing documents to user authentication/authorization, user and company management and searching on data which has been processed.
From a user perspective we have:
This shows us that there is a clear split between exposed services (API’s) and the documents processing pipeline. Also take note that the Ops UI is only used internally and is never exposed to a customer.
Our main priorities lie in testing that processing pipeline which comes close to the system, and the search, testing our schemas and logical segregation.
1. Processing flow -- All the info you need to get started with data
5-Minute Quick Setup Guide 👇
📺 https://youtu.be/BF1bsN2JpBY
This demo will aid you in setting up an integration with a DMS (Document Management System like Google Drive, Sharepoint, …), where you could possibly inject malicious payloads into documents from an external system.
We analyse and convert these documents with PDFBox (3.0.0-alpha3) and LibreOffice (7.4.1), after which we add the data to our persistence backend. (PostgreSQL).
What we are strongly interested in:
- Access to other tenants' data
- SQLi
- Remote code execution
- Whatever you can find to compromise our systems!
2. Search API (add-in)
Check out our search API where you can, after injecting your documents through our processing pipeline, search for results.
- How does it react to malign data you processed from documents?
- How does it handle input validation, are there some gaps?
Let us know!
3. Other services
Let us know what you can find on our:
- Auth flow
- Ops dashboard and identity management, be it users or companies and integrations
- Dashboard, where our customers can add an integration themselves
All in all, we wish to deliver better and more secure software (yes that marketing fluffiness is also something we strive for) and hope we can count on your help for this. 💪
Keep us on our toes!
https://media.giphy.com/media/dlxZ5qZs91Kx2/giphy.gif
Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.