Heading image

Heading icon Bug Bounty

Interested in helping NestForms improve security?

At NestForms we take the security of our service very seriously. On a regular basis we perform many test and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.

As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the NestForms platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of NestForms. We will also pay an award based on the level of threat and critical nature of the problem.


Severity level #

For those who have taken the time to reveal potential vulnerabilities within our platform we will pay a bounty loosely based on the following pricing template:

Critical €800.00
High €200.00
Medium €100.00
Low   €40.00

Bug Bounty Rules #

When you are testing, please follow these rules:

  1. Any testing must be limited to a maximum of one request per second to prevent the potential overload of the NestForms service.
  2. We do not allow BugBounty hunters to download database content. A list of the tables is enough for proof of concept.
  3. You will need to create a NestForms account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
  4. We do not accept bugs that affect outdated browsers, user agents or app versions.
  5. The primary focus of the NestForms Bug Bounty program applies to nestforms.com, www.nestforms.com and s3-eu-west-1.amazonaws.com/files.nestforms.com domains only.
    We may (circumstances depending) accept bounty reports to related domains (staging.nestforms.com, analytics.nestfoms.com, ...) but it must be stressed that they are not the primary focus of the Bug Bounty program and do not contain critical client data. As a result the accepted bounties are lower than main domain bugs that are found and reported. NestForms does not include or accept responsibility for any third party associations with NestForms.com.
  6. For the protection of our customers, NestForms requests that you not post or share any data regarding potential vulnerabilities on other public platforms until NestForms have investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
  7. We require that you operate within the guidelines of our Terms & Conditions.
  8. Always use email addresses that belong to you. Violations of this rule may end up in a reduced or no bounty reward due to potential damage to our business offering.


Reports excluded from the Bug Bounty program #

We are aware of several niche areas that might be considered as a vulnerability, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to NestForms, so please do not report these issues:

  1. Denial of Service (DoS) attacks.
  2. Distributed Denial of Service (DDoS) attacks.
  3. Any variant of Phishing or Social Engineering.
  4. Any physical action outside the realm of a web based attack.
  5. Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in free for a short period of time eg. number of shared relations within a form, already uploaded images, responses that already exist in their master account.
  6. Finding the ID of any record without revealing any private information, updating or deleting the record.
  7. Double extension uploaded files without proof of exploit.
  8. Non validation of emails is a business decision where we allow any user to create an account without email confirmation in order to maintain a simplicity of use.
  9. More precise messages on whether the email already exists in our database (within forgot password, registrations, etc) is a NestForms business decision. We are limiting the number of tries for these occasions which are effectively blocking our database scanning. BTW: a similar concept is applied by google as well.
  10. We are not responsible for third party software that may or may not be associated with NestForms (eg analytics.nestforms.com).
  11. Android or iOS NestForms app.

How to submit a bug report #

Please review our guidelines below in order to assist you when submitting an effective bug report:

  • Give a short clear description summarising the issue you have found.
  • Information on how you uncovered and exploited the issue.
  • Proof of how the issue can be exploited to work against the NestForms platform.
  • Please describe the impact of how an attacker could exploit the reported issue in order to show how it would affect our operations.
  • Any other information and attachments such as screenshots or videos showing the threat or vulnerability that you would consider helpful. 
  • Any information you believe pertinent with regards to device or platform is welcome.

The guidelines above are not comprehensive and the awarding of bounties are very much based on how accurate the reporting of the vulnerability may be. So please remember to be precise in your submission, it can take time for issues to be investigated so reports that are unclear or vague may not be considered.

For submission, please use our secure submission described in .well-known/security.txt on our website. Or alternatively you can use our contact form.


What to expect from NestForms #

  1. We will acknowledge receipt of your submission as soon as possible.
  2. We will not be able to reward any reported findings immediately as we will have to carry out our own investigation into the issue. We always aim to respond within one week. 
  3. We can only award one bounty per issue reported. 
  4. The first clear bug report will receive the finders award in case there have been multiple submissions on the same issue.
  5. To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan & Syria). NestForms reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
  6. Please be patient once you have submitted your report. We make every effort to check all reports very carefully. Depending on levels of activity, it can take between 1-5 working days for our team to respond to your submission. The same applies to any follow up email thread. Excessive follow up emails may end up causing a reduced bounty due to additional workload for our support team. However, if we have not responded within 7 days. Do resend your request.
  7. When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account in order to transfer money via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by NestForms.

Hall of Fame #

We are grateful for the assistance given by the following Bug Bounty Hunters:

Name Bug Description
Ashish Sharma
December 2021
Ability to share the form with a non relation in the relations page. Ability to promote relations without prior approval. Cannot delete an uploaded image via web response. Free plan users could create a new user group.

December 2021

Display the username of an unrelated user. Ability to manipulate Custom DB group data without permissions. Disclose an unrelated form name in the Trigger save error message. Ability to insert charts and filter settings to an unrelated account. Display unrelated notifications. Disclosure of internal server path in error message.

Virang Rajyaguru
December 2021

Sanitize the page query parameter on the api example domain.

Ashish Sharma
November 2021

Disable empty scope for oauth validation.

Sajibe Kanti
November 2021

Image preview with excessive size potentially leading to Denial of Service. Enforce a new password when changing old password. msg query parameter should be ignored.

November 2021

phpmyadmin viewable on frontend.

Darshan Jogi
November 2021

Ability to override cookie based on the URL parameter.

Rohan Agarwal
September 2021

Apps incorrectly managing invalidated tokens.

September 2021

Sanitize the user forename in the emails submitted by NestForms.

October 2021

Ability to send invitation email and forget password email over the approved limit. Create a new page to manage all current connections (web and app).

October 2021

Add CAA DNS record for domain nestforms.com. Apply DNSSEC for nestforms.com domain. Strip https:// from invitation email as gmail is displaying as a link. X-Content-Type-Options needs to be applied

Sai Teja
October 2021

Possible to bruteforce a guess email from the Registration page without javascript.

Amaranath Moger
October 2021

Guessable filenames in cache_reports.

Aniket Deshmane
October 2021

Page HTML injection from URL on Reports page. Staging server displayed the directories and log files.

Krishna Chaitanya N
September 2021

As logout should be a post Request. Applied HTTP_ACCEPT headers checking.

Prajit Sindhkar
September 2021

Found accessible ports on the analytics.nestforms.com domain.

Swapnil Bobale
October 2021

Domain analytics.nestforms.com has to force https protocol. Added a Content Security Policy and SSL cookies secure flag on analytics.nestforms.com. Force a http redirect on NestForms IP Address.

October 2021

Avoid 1-to-1 usage of personal information as the account password.

Aniket Deshmane
September 2021

Ability to change the brand image. Remove EXIF information from the files.

Darshan Jogi
September 2021

Displaying files that should not be accessible on the API test domain. Apply correctly the HSTS headers and add Nestforms to the hstspreload.org site. Ability to guess the password when logged in using bruteforce. Review the Password Reset code expiration on email Change. Appearance of a class that looks like ID in the HTML source code. Generated thumbnails that are not deleted with files (eg profile images). Add the password protection on account deletion.

Adnankhan Pathan
September 2021

Ability to save and display VIP without paying for Premium account. Potential to create a Trigger or Custom DB on smaller subscriptions. Redirect user to incorrect domain after API remote-login.

Anirudh Makkar
July 2021

Found loophole in creating more forms than his plan should allow, which also affected Triggers and the custom DB import). Not limiting the file upload within a short period of time. Discovered potentially discoverable URL for images.

Ronit Bhat
June 2021

Redirect after login should not display any other domain other than NestForms.

Kader Mouaz
June 2021

Forename as HTML + exploit via sending the confirmation email. VUE HTML injection in fill page (when the Form owner edits a response from the Responder). Android app - security keys need to be fully encrypted.

Pratik Khalane
July 2021

Potentially spamming users with the forgot password invitation email.

Virendra Tiwari
June 2021

Email domain to be secured with DMARC. The staging server displaying the Apache version.

Deepak Sharma
June 2021

Found how to steal a cookie in our mail support platform via Contact us form.

Daksh Bhayana
June 2021

Found a potential XSS vulnerability in the site map page.

Anirudh Makkar
June 2021

Found a bug that allowed users to submit an invitation email that included HTML. Found unrestricted Google maps API key, Potentially dangerous CSV injection while exporting responses, HTML injection in msg request parameter.

Pratik Khalane
June 2021

Found several URL links in Sitemanager and staging server that should not have been available to public visitors.

Prajit Sindhkar
May 2021

Found a bug with a potential account takeover when using the forgot password function, A related bug with the forgot password function sending too many emails and a potential flaw with changing password.
Romel Lanza
August 2020
Found a bug with managing members groups - reading and deleting groups without permissions.
July 2020
Issues with uploading XLSX custom DB file that could be processed by PHP scripts.
July 2020
Issues with SQL injection in the Relations page.
FREE for
14 days!
Illustration mobile