Description

WooRank is a super fast, super easy-to-use SEO audit and digital marketing tool (available in EN/FR/ES/DE/PT/NL). We look at millions of websites through Google’s eyes and generate an instant audit of the site’s technical, on-page and off-page SEO. Since we want to make the web a better place for everyone, we believe that protecting privacy and security should be a major concern for every individual or entity that is active on it. Therefore we dogfood that idea by asking you to help us track down vulnerabilities. We think that the practice of 'responsible disclosure' is the best way to clean the Internet one step at a time. It allows researchers like you to notify us of any security threats before going public with the information. This gives us a chance to fix the issue before people with bad intentions become aware of it.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 0
€ 250
€ 500
€ 1,000
€ 2,000
Up to € 2,000
Domains

www.woorank.com

Tier 2
URL

*.woorank.com

No Bounty
URL
In scope

CHANGELOG

WooRank Update: New PDF Editor
Read more about this feature on https://www.woorank.com/en/blog/woorank-new-pdf-editor

MAIN INTEREST

We are particularly interested, but not limited to, find out how one can exploit our system to:

  • Extract sensitive data like email addresses, passwords, billing and credit card details from our databases
  • Expose private data coming from 3rd party APIs we integrate with (eg. Google Analytics, Google Search Console, Facebook API, etc.)
  • Gain unauthorized access to our infrastructure, databases or backends
  • Bypass or game our payment systems for profit

IMPORTANT!

When you want to run automated scanners (eg. Burp suite), FIRST send a request to bugbounty@woorank.com, specifying the tool you want to use, at what time and which connection rate you expect to use (eg. 10 req/sec), we will then review your request and let you know if we approve or not. Failing to do so, will get you excluded from our project.

This is very important since we are hosted in a cloud environment, they have 24/7 intrusion teams on staff. When they detect suspicious behaviour, they can take precautions on many different levels (close our account, block your IPs, etc.).

Out scope

You will not receive a reward or your submission might be rejected if they are out of scope or if they are one of the following:

Application

  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non sensitive endpoints
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not present an immediate security vulnerability
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms.
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages without sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, ..)
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing /Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Attacks requiring unrealistic user interaction
Rules of engagement

Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Remember: quality over quantity!
  • Asses the severity consciously in context of our project (DO NOT blindly copy OWASP severity levels)

Available license plans

Safe harbour for researchers

Woorank considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Woorank will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Woorank will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

For every report we will asses the criticality based on the impact it has on our users, their privacy and/or the bottom-line of our business. Therefor we ask you to evaluate the severity carefully and consider its impact within the context of our project. Referring to OWASP criticality levels is NOT enough, since they lack context.

Here are some EXAMPLES to help you decide, BUT note that based on the actual impact we might give a report a higher or lower severity rating.

Exceptional

  • Remote Code Execution on the underlying servers and infrastructure
  • Full database access (update/delete) on critical databases (eg. databases containing user information)
  • Full takeover of our cloud infrastructure

Critical

  • Access to all user data and personal details (email, plain text password, credit card details, etc.)
  • SQL injection on critical databases

High

  • Stored XSS without user interaction
  • Access to a specific user's account
  • Privilege escalation
  • Remote Code Execution within application containers

Medium

  • CSRF with proven impact
  • Vulnerabilities that require very little (eg. single click) user interaction

Low

  • Reflected XSS
  • Clickjacking
  • Use functionality of our tool without an active subscription

None

  • Open redirect
  • Out scope reports
FAQ

1. Can we create test accounts?

You can register your own test account by starting a trial. As we want to keep track of all accounts that are created for testing reasons, we would like to ask you to create your account by using your handle@intigriti.me address. You can find more information about this functionality by visiting this page: https://go.intigriti.com/intigritime

The last step of sign-up will request your credit card details. As this is part of the payment procedure, it is also in scope of testing so please complete this step. There will be no charge within 14 days, you can cancel immediately from the ‘My Account’ page (your subscription will still remain active during the entire 14 day trial and expire automatically).

If you don’t want to do this, or you don't have a credit card please contact us by e-mail (bugbounty@woorank.com) and we will validate your account without credit card details. Take into account, there will be a small delay in validation of these accounts, since this is a manual process.

2. Can we test subscription plans?

Yes please. You can test both pro and premium subscriptions.

3. How to test the enterprise plan?

These are case-by-case subscriptions we create for bigger clients. So to not make things overly complicated, they are out of scope in this project.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
5/19
Woorank
closed a submission
5/8
Woorank
accepted a submission
5/8
Woorank
closed a submission
3/4
Woorank
closed a submission
3/4
Woorank
has suspended the program
3/4
Woorank
closed a submission
3/4
logo
ajayn
created a submission
3/4
Woorank
closed a submission
3/4
logo
ajayn
created a submission
3/4
Woorank
has unsuspended the program