Bug Bounty Program
Thank you for your interest in Rampiva’s bug bounty program! We’re happy you’re here. Our goal is to make the Rampiva software as secure as possible and we think this is an ongoing process and a collaborative effort. We need researchers who will challenge assumptions and think creatively about founding security bugs.
This is not an easy program and running vulnerability scanners is unlikely to yield any results. But we want to help—if you think you have found a security bug and are close to exploitation, but are only missing a step, contact us. We will make a good faith effort to help you, but please understand that we might not be able to respond to complex or time-consuming requests.
Scope and Rewards
In Scope Targets
Out of Scope Targets
Restrictions and Limits
- Automated testing/scanning must be kept under 60 requests per minute.
- File upload must be kept under 100 MB per day.
- Make a good faith effort to avoid privacy violation, disruption of service and destruction of data.
- Be mindful of the fact that other researches can access the same platform, and avoid submitting offensive content to the platform.
- In case that a reported vulnerability was already known, it will be flagged as a duplicate.
- Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity.
- Spam, social engineering and physical intrusion.
- DoS/DDoS attacks or brute force attacks.
- Vulnerabilities that are limited to non-current browsers.
- Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts.
- Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch is available.
- Reports that state that software is out of date/vulnerable without a proof-of-concept.
To obtain credentials to the application, register using either an existing Microsoft 365 account or with a regular email address at https://securityresearch.rampivalab.com:8443. You will then receive an email invitation to link the Microsoft account to the test environment.
The test environment is reset nightly at 00:00 UTC, and you will have to re-register on each day you are performing tests.
- Submit the report to firstname.lastname@example.org or https://support.rampiva.com
- Submit one vulnerability per report, unless multiple vulnerabilities have to be chained to reach the impact.
- Provide a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.
- Submissions should have impact to the target’s security posture. Impact means the reported issue affects the target’s users, systems, or data security in a meaningful way. Submissions such as Clickjacking or similar vulnerabilities on the main rampiva.com website without any meaningful way to impact the website do not quality.
- Submissions may be closed if a researcher is non-responsive to requests for information.
Coordinated Vulnerability Disclosure
- Before disclosing any information related to a vulnerability, the Researcher must obtain explicit permission from Rampiva. This applies to all submissions, including those categorized as duplicates, unresolved and won’t fix.
- Rampiva will work with the Researcher through the disclosure process to commonly agree on the date and level (limited or full) of the disclosure.
All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability’s impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating, refer to the list of some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.
- Remote Code Execution
- Full database read/write access
- Full database read access
- Stored XSS without user interaction
- Sensitive information disclosure
- XSS that requires user interaction
- CSRF with a significant impact
- XSS that requires lots of user interaction ( > 3 steps)
- CSRF with a very limited impact
- Open redirect
Rampiva Automate combines an easy-to-use job queue with the ability to build and customize libraries of workflows, and a powerful set of operational reports and tools for cross-case analysis.
The product has a REST API documentation available at: https://securityresearch.rampivalab.com/openapi. Note that most of the endpoints require authentication.
The OData Reporting feed (link in the User Resources section) can be access with Microsoft PowerBI, using the Organizational account authentication mode.
Rampiva considers ethical hacking activities conducted consistent with the Bug Bounty Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Rampiva will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.
If legal action is initiated by a third party against you and you have complied with the Terms, Rampiva will take steps to make it known that your actions were conducted in compliance and with our approval.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report before going further.