Bug Bounty Program

Program Details

Thank you for your interest in Rampiva’s bug bounty program! We’re happy you’re here. Our goal is to make the Rampiva software as secure as possible and we think this is an ongoing process and a collaborative effort. We need researchers who will challenge assumptions and think creatively about founding security bugs.

This is not an easy program and running vulnerability scanners is unlikely to yield any results. But we want to help—if you think you have found a security bug and are close to exploitation, but are only missing a step, contact us. We will make a good faith effort to help you, but please understand that we might not be able to respond to complex or time-consuming requests.

Scope and Rewards

In Scope Targets

Out of Scope Targets

  • https://securityresearch.rampivalab.com:8443
  • *.rampiva.com

Rewards

 LowMediumHighCriticalExceptional
 $50$150$500$1,000$2,500

Restrictions and Limits

Program Rules

  • Automated testing/scanning must be kept under 60 requests per minute.
  • File upload must be kept under 100 MB per day.
  • Make a good faith effort to avoid privacy violation, disruption of service and destruction of data.
  • Be mindful of the fact that other researches can access the same platform, and avoid submitting offensive content to the platform.
  • In case that a reported vulnerability was already known, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity.

General Exclusions

  • Spam, social engineering and physical intrusion.
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that are limited to non-current browsers.
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts.
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch is available.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept.

Credentials

To obtain credentials to the application, register using either an existing Microsoft 365 account or with a regular email address at https://securityresearch.rampivalab.com:8443. You will then receive an email invitation to link the Microsoft account to the test environment.

The test environment is reset nightly at 00:00 UTC, and you will have to re-register on each day you are performing tests.

Submission Guidelines

  • Submit the report to security@rampiva.com or https://support.rampiva.com
  • Submit one vulnerability per report, unless multiple vulnerabilities have to be chained to reach the impact.
  • Provide a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward.
  • Submissions should have impact to the target’s security posture. Impact means the reported issue affects the target’s users, systems, or data security in a meaningful way. Submitters may be asked to defend the impact in order to qualify for a reward.
  • Submissions may be closed if a researcher is non-responsive to requests for information.

Coordinated Vulnerability Disclosure

  • Before disclosing any information related to a vulnerability, the Researcher must obtain explicit permission from Rampiva. This applies to all submissions, including those categorized as duplicates, unresolved and won’t fix.
  • Rampiva will work with the Researcher through the disclosure process to commonly agree on the date and level (limited or full) of the disclosure.

Severity Assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability’s impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating, refer to the list of some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution
  • Full database read/write access

Critical

  • Full database read access

High

  • Stored XSS without user interaction
  • Sensitive information disclosure

Medium

  • XSS that requires user interaction
  • CSRF with a significant impact

Low

  • XSS that requires lots of user interaction ( > 3 steps)
  • CSRF with a very limited impact
  • Open redirect

Product Notes

Rampiva Automate combines an easy-to-use job queue with the ability to build and customize libraries of workflows, and a powerful set of operational reports and tools for cross-case analysis.

The product has a REST API documentation available at: https://securityresearch.rampivalab.com/openapiNote that most of the endpoints require authentication. 

The OData Reporting feed (link in the User Resources section) can be access with Microsoft PowerBI, using the Organizational account authentication mode.

Safe Harbor

Rampiva considers ethical hacking activities conducted consistent with the Bug Bounty Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Rampiva will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Rampiva will take steps to make it known that your actions were conducted in compliance and with our approval.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report before going further.

Acknowledgements

See the Acknowledgements page.