Heading image

Heading icon Bug Bounty

Interested in helping NestForms improve security?

At NestForms we take the security of our service very seriously. On a regular basis we perform many test and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.

As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the NestForms platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of NestForms. We will also pay an award based on the level of threat and critical nature of the problem.

 

Severity level #

For those who have taken the time to reveal potential vulnerabilities within our platform we will pay a bounty loosely based on the following pricing template:

Critical €800.00
High €200.00
Medium €100.00
Low   €40.00
 

Bug Bounty Rules #

When you are testing, please follow these rules:

  1. Any testing must be limited to a maximum of one request per second to prevent the potential overload of the NestForms service.
  2. We do not allow BugBounty hunters to download database content. A list of the tables is enough for proof of concept.
  3. You will need to create a NestForms account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
  4. We do not accept bugs that affect outdated browsers, user agents or app versions.
  5. The primary focus of the NestForms Bug Bounty program applies to nestforms.com, www.nestforms.com and s3-eu-west-1.amazonaws.com/files.nestforms.com domains only.
    We may (circumstances depending) accept bounty reports to related domains (staging.nestforms.com, analytics.nestfoms.com, ...) but it must be stressed that they are not the primary focus of the Bug Bounty program and do not contain critical client data. As a result the accepted bounties are lower than main domain bugs that are found and reported. NestForms does not include or accept responsibility for any third party associations with NestForms.com.
  6. For the protection of our customers, NestForms requests that you not post or share any data regarding potential vulnerabilities on other public platforms until NestForms have investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
  7. We require that you operate within the guidelines of our Terms & Conditions.
  8. Always use email addresses that belong to you. Violations of this rule may end up in a reduced or no bounty reward due to potential damage to our business offering.
  9. Our Staging server has disabled sending emails, therefore some of the features are not available (e.g.: invite members by email, email triggers, forgot password, confirm email, etc.).
 

Reports excluded from the Bug Bounty program #

We are aware of several niche areas that might be considered as a vulnerability, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to NestForms, so please do not report these issues:

  1. Denial of Service (DoS) attacks.
  2. Distributed Denial of Service (DDoS) attacks.
  3. Any variant of Phishing or Social Engineering.
  4. Any physical action outside the realm of a web based attack.
  5. Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in free for a short period of time eg. number of shared relations within a form, already uploaded images, responses that already exist in their master account.
  6. Finding the ID of any record without revealing any private information, updating or deleting the record.
  7. Double extension uploaded files without proof of exploit.
  8. Non validation of emails is a business decision where we allow any user to create an account without email confirmation in order to maintain a simplicity of use.
  9. More precise messages on whether the email already exists in our database (within forgot password, registrations, etc) is a NestForms business decision. We are limiting the number of tries for these occasions which are effectively blocking our database scanning. BTW: a similar concept is applied by google as well.
  10. We are not responsible for third party software that may or may not be associated with NestForms (eg analytics.nestforms.com).
  11. Any unrelated vulnerabilities that cannot be exploited within the NestForms platform.
  12. Android or iOS NestForms app.
 

How to submit a bug report #

Please review our guidelines below in order to assist you when submitting an effective bug report:

  • Give a short clear description summarising the issue you have found.
  • Information on how you uncovered and exploited the issue.
  • Proof of how the issue can be exploited to work against the NestForms platform.
  • Please describe the impact of how an attacker could exploit the reported issue in order to show how it would affect our operations.
  • Any other information and attachments such as screenshots or videos showing the threat or vulnerability that you would consider helpful. 
  • Any information you believe pertinent with regards to device or platform is welcome.

The guidelines above are not comprehensive and the awarding of bounties are very much based on how accurate the reporting of the vulnerability may be. So please remember to be precise in your submission, it can take time for issues to be investigated so reports that are unclear or vague may not be considered.

For submission, please use our secure submission described in .well-known/security.txt on our website. Or alternatively you can use our contact form.

 

What to expect from NestForms #

  1. We will acknowledge receipt of your submission as soon as possible.
  2. We will not be able to reward any reported findings immediately as we will have to carry out our own investigation into the issue. We always aim to respond within one week. 
  3. We can only award one bounty per issue reported. 
  4. The first clear bug report will receive the finders award in case there have been multiple submissions on the same issue.
  5. To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan & Syria). NestForms reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
  6. Please be patient once you have submitted your report. We make every effort to check all reports very carefully. Depending on levels of activity, it can take between 1-5 working days for our team to respond to your submission. The same applies to any follow up email thread. Excessive follow up emails may end up causing a reduced bounty due to additional workload for our support team. However, if we have not responded within 7 days. Do resend your request.
  7. When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account in order to transfer money via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by NestForms.
 

Hall of Fame #

We are grateful for the assistance given by the following Bug Bounty Hunters:

Name Bug Description
Tushar Vyas
October 2024
HTML injection within Quick Links manage lightbox. Potential attackers could view Quick Links of other users. Form Trigger save incorrectly validated Form permissions allowing to inject Trigger. Session was not refreshed correctly if the user removes Form Edit permission from themselves. Export settings have inconsistent permissions. Trigger detail was visible in the API response.
Kunal Rajendra Patil
September 2024
Form builder did not force login when the user logged out but via the click back within the browser. Missing account deletion email, other sessions should be notified of the account deletion.
callgh0st
September 2024
Member cached storage size was not decremented when removing response. Old Event editor incorrectly displayed the form as deleted. Some old users still had @ in the username. Help page incorrectly described Responder access as editable. Incorrectly cached value for response file upload permission. Shared forms page displayed certain data that the responder should not be able to see. After reverting a deleted form, images remained marked as deleted.
callgh0st
August 2024
Users cannot restore a relation if both send an ignore request. A user registered by another user should not be discoverable until the user logs in. Deleted members visible when sharing forms. Shared forms from deleted users are still visible.
callgh0st
July 2024
Cached storage size incorrectly changed when removing response image. Group Admin can add a removed relation to master account. Potential ability to scan users using email domains and last letters of the email name. Cached storage size incorrectly changed if all files are removed. Relation groups can be assigned after trial expires. Removed group admin can still promote relations to master account.
Tushar Vyas
July 2024
Html injection in VIP trusted domains error message.
Suraj Gupta
June 2024
Certain user details could be externally available through a potential data breach.
callgh0st and Sumit
June 2024
File upload incorrectly validates form permissions. File upload incorrectly validates inactive form.
Suvendu Dash
June 2024
Brand save rate limit not applied correctly. Limit not enforced for triggers. Old Events not checking maximum number of responses.
Mohammed Athif
April 2024
File upload ignores validation rules.
pushpraj patil
April 2024
Missing proper value validation when editing response items.
Rajeev Suyambu
April 2024
After finish text HTML injection was possible because src was not validated. Response for public form can be edited after submission as long as the token is valid.
Darshan Jogi
March 2024
VIP Sections trusted domains do not have limits. Password can be changed to be the same as username if username and email do not match.
Soham Gidwani
March 2024
Member with only Form Edit permissions could self elevate permissions. Delete custom PDF definition from other users. Responder with edit access can edit other response items. Ability to delete CustomDB groups of other users. API does not correctly validate responder access.
Tushar Vyas
March 2023
Html injection in Custom DB match merge filter. Html injection in Trigger email error message.
Deepak Kumar
March 2024
Finish screen custom public link url and public link delay not sufficiently validated.
Manthan Mahale
March 2024
Group Approve results permission incorrectly validated.
Rajeev Suyambu
January 2024
Reflected XSS in settings_excel_export_flat when CSP is disabled. Email verification token visible in members_emails requests.
Christian Guavez
December 2023
README.md can be accessed from the web.
Suvendu Dash
December 2023
Add additional CORS headers.
Christian Guavez
December 2023
Limit string lengths for texts within the Response Fill.
Rushikesh Kaware
December 2023
Archived forms should not be answered.
Rajeev Suyambu
November 2023.
Activation tokens visibility discovered during Triggers save.
Animesh Mallick
October 2023
XSS over Request filter parameter on Reports page.
Dipak khobarkhede
October 2023
Ability to accept rejected friendship without rights. Edit a response after Responder edit was revoked.
Bhargav Hede
October 2023
Disclose hidden response field content to client. Client should not see Response log changes.
Rajeev Suyambu
October 2023
Self DB Html XSS injection in event creation page. Send test trigger email to an unverified email address. Self DB Html injection within Trigger list.
Bhargav Hede
September 2023
Confirm friendship when updating the Response name. Hide debug information when saving a response. Ability to set form.dispatch_edit member without permissions for Dispatches.
Yogesh Bhandage
September 2023
Validation of notifications set as read. Responder should not be able to edit rejected responses. Limit number of created responses. Only admins can change the form status. Show edit options displayed private form information without permissions.
Sachin Kalkumbe
September 2023
Applied new settings for the TLS-RPT email reporting.
Amol Verma (Dingus)
September 2023
HTML injection discovered in api/authorize. Access control to Custom DB file upload to be applied.
Vibhor Sharma
August 2023
A small sample of user details were intercepted on phonebook.cz.
Rajeev Suyambu
August 2023
Self DB html injection discovered within the PDF export image, Trigger list and Custom PDF Builder Tree view. Potential ability to delete custom PDF definition from other users.
 Rajeev Suyambu
July 2023
HTML injection in Brand VIP area. Self HTML injection in send VIP email. HTML injection in Assign Member to a group popup. Ability to read form definition from imported excel. Access to unshared form detail (api). Relation had access to url_access_hash & password through api. VIP Area: ZIP files from non-approved responses. Prevent clone_hash spoofing in Form Builder. Self DB HTML injection within form name. Apply CSRF token to CustomDB import.
Yogesh Bhandage
July 2023
Invitation and Trigger emails are missing a canonical email check (+1@gmail.com). Ability to delete a relations brand image.
Yogesh Bhandage
June 2023 
Update access_limit in realtime for responses that are over the limit. Finished responses should not be deleted directly.
Roshan Bhosle
May 2023
Activation tokens should not be displayed in the back end.
Yogesh Bhandage
May 2023
Rejected friendship should not be able to submit a response. Deleted forms should not be able to submit a response.
Ashutosh Rimal
May 2023
Secure iframes for VIP Section.
Mr. Sahil Relekar
May 2023
Ability to display and undelete the custom DB.
Bhargav Hede
May 2023
Resending a different Name of the Response does not display the log icon. API access should be blocked for free users. Breaking JSON structure on POST could potentially reveal some internal paths in the error message.
Shivam Kumar Singh
February 2023
Takeover session from email management system.
Nikhil Kumar
February 2023
VIP Access export response to Word without approval. Responder with Read access can see responses outside permissions.
Suvendu Dash
February 2023
Add rate limit on change email facility to prevent spamming.
Uddeshaya Srivastava
February 2023
Disallow ampersands from forename and surname.
Tushar Vyas
January 2023
api-example - cannot update custom DB. Event deletion misleading message.
Tarun Garg
January 2023
Edit profile only via POST requests.
Pratik Suresh Karan
January 2023
Inject trigger to victim account. Update validation of Form url access hash.
Chetan Rajpurohit
December 2022
MS Excel potential hack using Custom DB export.
Rajeev Suyambu
December 2022
HTML injection form edit autocapture autocomplete.
Manthan Mahale
December 2022
Ability to add a section to a related form without permission. Image gallery managing over quota images.
Tushar Vyas
September 2022
Ability to update Custom DB filter when custom DB is already deleted. Rename Privacy Status to Discoverability. Event page potential fill after unsharing the member. Ability to save an already existing VIP url hash. Force user to change password after first login. HTML injection in Custom DB charts.
HTML injection in api-example domain.
Veerla Saikumar
September 2022
XSS token in application delete request to be sent via POST. Limit the character length on Chart settings.
Manthan Mahale
September 2022
Typo in HTTP Header Feature-Policy. Footer registration form not working correctly. Unauthorised read access to Responses within a shared form. Ability to approve Responses within groups without permission.
Rushikesh Kaware
August 2022
Proposed local storage encryption enhancements.
Ei Thwe
August 2022
Inform original email address when changing the email. Sanitise profile on save to session.
Mr. Sahil Relekar
August 2022
Ability to delete the custom DB item from victim.
Tushar Vyas
August 2022
HTML Validate form excel import. HTML Validate Custom DB table import. HTML Validate Flat Export settings. displayMessage(): HTML Injection via crafted response name on the Fill Page Finish & New. Form setting custom url_access_hash without checks for existing ones. Deleted form should not be cloned. Ability to see the form name via the event_id.
Suvendu Dash
August 2022
Missing secure flag on session cookie connect.sid an analytics domain.
Uddeshaya Srivastava
August 2022
Change email contained confirmation link to new email address.
Manthan Mahale
August 2022
Force a refresh of the member session when changing groups.
Displayed ability to modify Responses outside the group (when having group_approve_results).
Shreyas Koli
July 2022
Disable uploading files for finished web responses.
Veerla Saikumar
July 2022
Hide PHPMailer version from emails. When validating a field for multiple errors - stop after the first error. Above the fold clickjacking. FTP Version and OS name disclosure on analytics IP. 
Ashish Sharma
July 2022
Free subscription allowed form items to be added in excess of the limit. Library files should not be private until shared. API - Custom DB data without fully checking permissions. Bruteforce signature and audio uploaded via website. API application available to user types outside their subscription base. Responder permission access needs to be fully checked on response level.
DilipKumar
June 2022
Newsletter subscribe with user code.
ashwani kutiyal
June 2022
Email verification code doesn't change if used within the same email.
Tushar Vyas
June 2022
Deleted responses on the responses page could potentially lead to HTML injection via the Response name.
Zweizack
June 2022
XSS on custom PDF.
Suvendu Dash
June 2022
Limit maximum amount of characters for Member group notes. Limit number of lines in the invitation email. Set new rate limit for changing username. VUE potential plugin vulnerability. CSP header missing the base-uri. CSP & Permission Policy Missing on analytics. Missing Secure or HTTPOnly Cookie Flag Session on staging. Server Version Number Disclosing on staging. Exposed Server software version - Error pages. Staging was sending emails when it should not. Staging SSL Certificate.
Dhruvin Shah
June 2022
Tabnabbing
Manthan Mahale
March 2022
START TRIAL NOW button should display a register popup page. When forgot password has processed, partially clear the login rate limit for that account.
Ali
May 2022
Excessive length usernames jumping below the right column on the profile page.
Yash
May 2022
Analytics should not appear on the IP only.
Ashutosh Nath Rimal
May 2022
Prevent the registration @anything.nestforms.com email addresses. Check permissions before downloading cache reports. Open Google API key was presented in the javascript comments.
Sai Teja
May 2022
Add a rate limit for the approve_members_emails function.
Shreyas Koli
May 2022
Block registration of something@NestForms.com email. Username - server validation for invalid characters. Disable autocomplete for Branding password. Securing username when inviting a relation. Enahnce member groups validation. Reopening a mutually rejected friendship - invalid statuses. Server side validation for the Form fill page. Potential deletion of a finished response by a responder. A responder could potentially update a finished response. Discovered a potential threat of spamming within instant trigger emails.
Deepak Kumar
May 2022
Setting FTP - XSS iframe. Potentially insecure wordpress installation.
Raajesh - Infoziant Security
May 2022
Add sp for subdomains into DMARC.
Dhruvin Shah
April 2022
Api / members - hiding emails (and username) when invitation sent.
Manthan Mahale
April 2022
Re-enabling a relationship could potentially assign more shares to a form over the set limit. Ability to heavy misuse the form count by closing and opening forms. Update the message about deleting forms. Brand VIP send email bug. Phone number limit to valid characters.
Ashutosh Rimal
April 2022
Restricting the rate limit on password resending instructions.
Ranjeet (geekboyranjeet)
May 2022
Inject html to self in a trigger validation email.
S Rahul (@7srambo)
April 2022
CURL request on 404 html reflection. Disable weak TLS 1.2 Cipher Suites. Fix styles for the “remove czech diacritics” page.
Vasanth(vasi)
April 2022

Prevent from registering @nestforms.com email addresses.
TechMedia YT
April 2022
Registration email is not sending the username.
Veerla Saikumar
March 2022
Blocking a user from reusing a session in a different browser.
Manthan Mahale
March 2022
Profile change username remove ajax validation. Revoked relation could not revoke. Staging server does not downgrade the account. Password protection on account undelete. Apply proper limits in sharing events and edit member groups. Ability to share events with non related members. Impossible reactive form when on the form limit count. Staging site missing pages for changing username, email, password. Incorrect delete account date calculation on profile page. Refresh session when permissions are changed.
Anumula Naveen Kumar
March 2022
Some older profile files identified with guessable URLs.
Yogesh Bhandage
March 2022
Bruteforce password check without rate limit.
Ali
March 2022
Found unrestricted API Keys.
Uddeshaya Srivastava
March 2022
SPF to be set as -all instead of ~all.
Gunda Shiva Kumar
March 2022
Reset Password can compromise an account after a password change. Contact form - cache control. Limit message characters on Invitation form and Contact us form.
Gaurav Dalal
February 2022
Remove metadata within PNG Files.
Roshan Bhosle
February 2022
Registration account takeover when username and email differs. Prevent using email as the username.
bug hunter 5213
February 2022
Inform the user by email when changing the password. Content spoofing on contact us via What-s-this-about.
Darshan Jogi
January 2022
Password input field should have autocomplete=off
Kshitiz Raj
January 2022
Potential open location redirect after login.
Fauzi Bariq Mahya
January 2022
Repeating the request to oauth block the user displaying the profile page.
Mahendra Mahale
January 2022
Missing rate limit on change username and email in profile page.
Manthan Mahale
January 2022
Ability to unlock the custom DB feature on a free account. Ability to share my relation to an unrelated form. Push custom text to payment type in contact email. Ability to send an invitation to users based on ID. Restrict the name of the sender in trigger email invitation email. Ability to share form with non relation. Free subscription user should not share permissions for group_approve_results. Staging server did not allow the file upload. Proof of allowing a trial user to unlock additional paid modules.
Phyo Ko
January 2022
Limit the password length within forgot password.
Ashish Sharma
January 2022
Brute force scanning API relations files. Ability to see the form structure via the old event fill page.
Ashish Sharma
December 2021
Ability to share the form with a non relation in the relations page. Ability to promote relations without prior approval. Cannot delete an uploaded image via web response. Free plan users could create a new user group.
Hakerbaya
December 2021
Display the username of an unrelated user. Ability to manipulate Custom DB group data without permissions. Disclose an unrelated form name in the Trigger save error message. Ability to insert charts and filter settings to an unrelated account. Display unrelated notifications. Disclosure of internal server path in error message.
Virang Rajyaguru
December 2021
Sanitize the page query parameter on the api example domain.
Ashish Sharma
November 2021
Disable empty scope for oauth validation.
Sajibe Kanti
November 2021
Image preview with excessive size potentially leading to Denial of Service. Enforce a new password when changing old password. msg query parameter should be ignored.
Himanshu
November 2021
phpmyadmin viewable on frontend.
Darshan Jogi
November 2021
Ability to override cookie based on the URL parameter.
Rohan Agarwal
September 2021
Apps incorrectly managing invalidated tokens.
Aryan
September 2021
Sanitize the user forename in the emails submitted by NestForms.
Rishabh
October 2021
Ability to send invitation email and forget password email over the approved limit. Create a new page to manage all current connections (web and app).
Abdeali
October 2021
Add CAA DNS record for domain nestforms.com. Apply DNSSEC for nestforms.com domain. Strip https:// from invitation email as gmail is displaying as a link. X-Content-Type-Options needs to be applied
Sai Teja
October 2021
Possible to bruteforce a guess email from the Registration page without javascript.
Amaranath Moger
October 2021
Guessable filenames in cache_reports.
Aniket Deshmane
October 2021
Page HTML injection from URL on Reports page. Staging server displayed the directories and log files.
Krishna Chaitanya N
September 2021
As logout should be a post Request. Applied HTTP_ACCEPT headers checking.
Prajit Sindhkar
September 2021
Found accessible ports on the analytics.nestforms.com domain.
Swapnil Bobale
October 2021
Domain analytics.nestforms.com has to force https protocol. Added a Content Security Policy and SSL cookies secure flag on analytics.nestforms.com. Force a http redirect on NestForms IP Address.
Kunal
October 2021
Avoid 1-to-1 usage of personal information as the account password.
Aniket Deshmane
September 2021
Ability to change the brand image. Remove EXIF information from the files.
Darshan Jogi
September 2021
Displaying files that should not be accessible on the API test domain. Apply correctly the HSTS headers and add NestForms to the hstspreload.org site. Ability to guess the password when logged in using bruteforce. Review the Password Reset code expiration on email Change. Appearance of a class that looks like ID in the HTML source code. Generated thumbnails that are not deleted with files (eg profile images). Add the password protection on account deletion.
Adnankhan Pathan
September 2021
Ability to save and display VIP without paying for Premium account. Potential to create a Trigger or Custom DB on smaller subscriptions. Redirect user to incorrect domain after API remote-login.
Anirudh Makkar
July 2021
Found loophole in creating more forms than his plan should allow, which also affected Triggers and the custom DB import). Not limiting the file upload within a short period of time. Discovered potentially discoverable URL for images.
Ronit Bhat
June 2021
Redirect after login should not display any other domain other than NestForms.
Kader Mouaz
June 2021
Forename as HTML + exploit via sending the confirmation email. VUE HTML injection in fill page (when the Form owner edits a response from the Responder). Android app - security keys need to be fully encrypted.
Pratik Khalane
July 2021
Potentially spamming users with the forgot password invitation email.
Virendra Tiwari
June 2021
Email domain to be secured with DMARC. The staging server displaying the Apache version.
Deepak Sharma
June 2021
Found how to steal a cookie in our mail support platform via Contact us form.
Daksh Bhayana
June 2021
Found a potential XSS vulnerability in the site map page.
Anirudh Makkar
June 2021
Found a bug that allowed users to submit an invitation email that included HTML. Found unrestricted Google maps API key, Potentially dangerous CSV injection while exporting responses, HTML injection in msg request parameter.
Pratik Khalane
June 2021
Found several URL links in Sitemanager and staging server that should not have been available to public visitors.
Prajit Sindhkar
May 2021
Found a bug with a potential account takeover when using the forgot password function, A related bug with the forgot password function sending too many emails and a potential flaw with changing password.
Romel Lanza
August 2020
Found a bug with managing members groups - reading and deleting groups without permissions.
Captes 
July 2020
Issues with uploading XLSX custom DB file that could be processed by PHP scripts.
Captes
July 2020
Issues with SQL injection in the Relations page.
 
TRY
NESTFORMS
TODAY
FREE for
14 days!
Illustration mobile