Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 0
€ 500
€ 750
€ 1,000
€ 2,000
Up to € 2,000
Domains

<TenantID>.sdb.tid.onespan.cloud/

Tier 2
URL
Accounts: researchers are allowed to create only one account using their @intigriti.me email address. Creating an account will generate a Tenant ID and will give you access to the following link: <TenantID>.sdb.tid.onespan.cloud/

sdb.tid.onespan.cloud/devportal/

Tier 2
URL
Description

OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. Trusted Identity Platform, or TID, is OneSpan's cloud-based platform that delivers security technologies to secure digital interactions. In this project, we request researchers to validate the security of the TID Developer Portal and the TID Microservices (Adaptive Authentication services).

In scope

The scope of this project is limited to the following products:

TID Developer Portal

Application entry points:

  • https://sdb.tid.onespan.cloud/devportal/
  • https://<TenantID>.sdb.tid.onespan.cloud/
    Accounts: researchers are allowed to create only one account using their @intigriti.me email address. Creating an account will generate a Tenant ID.

TID Microservices (Adaptive Authentication services)

Application entry points:

  • https://<TenantID>.sdb.tid.onespan.cloud/<service_name>
Out scope

Please note that all domains of OneSpan/VASCO are out of scope except the ones mentioned in the “in scope” section.

  • The Risk Analytics Presentation Service application is also explicitly out of scope. The URL of this application is https://sdb.tid.onespan.cloud/irm/.
  • The IDENTIKEY Authentication Server application is also explicitly out of scope. The URL of this application is https://sdb.tid.onespan.cloud/ias/.
  • All services running on ports on the above mentioned servers that are not explicitly mentioned in the in-scope section are also explicitly out of scope.

You will not receive a reward and your submission will be rejected if they are out of scope or if they are one of the following:

General:

  • Violations against best practices that only have a theoretical chance of exploitation
  • Highly speculative reports about theoretical damage. Be concrete.
  • Denial of Service Attacks
  • Publicly accessible login panels of OneSpan software
  • Reports that state that software is out of date/vulnerable without proven exploitable risks
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Physical or social engineering attempts (this includes phishing attacks against employees)

Application

  • Debug information, stack trace information, excessive information leakage (internal IP addresses, server paths, …)
  • Open redirects - 99% of open redirect issues have low security impact. For the rare cases for which there is a security impact, like stealing sensitive data (customer records,…) or introducing XSS, we do still want to hear about them.
  • XSS issues in non-current browsers (older than 3 versions)
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Content injection issues
  • User enumeration
  • Cross-site Request Forgery (CSRF)
  • Missing autocomplete attributes
  • Missing cookie flags on non-security sensitive cookies
  • Missing security headers or unnecessary headers which do not present an immediate security vulnerability
  • Banner grabbing issues (figuring out what web server we use, etc)
  • Clickjacking (including clickjacking on sensitive pages)
  • Injection attempts where the application doesn’t accept the input because of input validation.
  • Session hijacking by copying the cookie values.
  • Available HTTP methods that do not pose a security risk (for example if the PUT/DELETE methods seem to be available, but using them doesn’t have an impact because the corresponding server functionality is not available or implemented).

Infrastructure

  • Recently disclosed 0-day vulnerabilities against commercial products where no patch is available or the patch was released within the last 2 months. We need time to patch our software and release new versions just like everyone else.
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL/TLS configurations and SSL/TLS scan reports (for example output from sites such as SSL Labs or issues related to the fact that the applications are configured with self-signed certificates).
  • Reports on misconfigured DNS settings or missing DNS domain records (such as missing DMARC or SPF records).
  • Reports on the configuration of services that are not related to the tested application (for example reports about the email security of the tested domains and reports about the DNS servers hosting the DNS records of the tested domains).
  • Reports on the configuration of the underlying operation system.
Rules of engagement

Guidelines:

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Remember: quality over quantity!
  • Provide details on the timestamp when you conducted the test and about the username that you used to conduct the test.

Application availability:

  • The applications should be available all the time.

Safe harbour for researchers

OneSpan considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. OneSpan will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, OneSpan will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

It will be the responsibility of Intigriti to pay ethical hackers in a timely and legal way. Payouts will only take place after agreement with OneSpan on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Duplicates policy: When two identical issues are reported, with different endpoints being the only difference between submissions, only the first submission will have the criticality below assigned.

If similar reports by the same user are reported within 14 days after accepting the previous (only differentiating in endpoint), the reports will be accepted but in a lower criticality, hence affecting the bounty.

OneSpan provides following monetary rewards. In addition, researchers will be listed in OneSpan’s Hall of Fame, if they agree so.

Exceptional € 2.000:

  • Remote Code Execution

Critical € 1.000:

  • Access to all user / domain details
  • Privilege escalation: Ability to read/modify data without having the privilege to do so, for example being able to create a user without having the required admin privilege.
  • SQL/XML/JSON Injection that can be used to manipulate the behavior of the query or request.
  • Impersonation of other user without copying the session cookie value

High € 750:

  • Stored XSS

Medium € 500:

  • Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.
  • Reflected Cross-Site scripting
  • SQL/XML/JSON Injection that only generates an application error or break the query.

Low:

  • Vulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger.
  • Scripting and automation
  • Publicly accessible login panels of third party software (for example the login panel of the application server or of the database server). Login panels of OneSpan products are out-of-scope.
FAQ

Can I create a test account?

Yes, and you are encouraged to do so. Please use your @intigriti.me email address for the account creation.

Are there specific rules to follow for test accounts creation?

Yes. Please only create one test account. Also, please use your @intigriti.me email address for the account creation.

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
3/31
OneSpan
closed a submission
3/29
logo
intgeim
created a submission
3/6
logo
gundy
created a submission
3/3
OneSpan
closed a submission
2/10
OneSpan
closed a submission
2/10
logo
secpentester1337
created a submission
1/30
logo
skrux
created a submission
1/25
logo
thevivek
created a submission
1/6
OneSpan
closed a submission
1/6
OneSpan
closed a submission