Interested in helping NestForms improve security?
At NestForms we take the security of our service very seriously. On a regular basis we perform many test and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.
As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the NestForms platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of NestForms. We will also pay an award based on the level of threat and critical nature of the problem.
Severity level #
For those who have taken the time to reveal potential vulnerabilities within our platform we will pay a bounty loosely based on the following pricing template:
Critical | €800.00 |
High | €200.00 |
Medium | €100.00 |
Low | €40.00 |
Bug Bounty Rules #
When you are testing, please follow these rules:
- Any testing must be limited to a maximum of one request per second to prevent the potential overload of the NestForms service.
- We do not allow BugBounty hunters to download database content. A list of the tables is enough for proof of concept.
- You will need to create a NestForms account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
- We do not accept bugs that affect outdated browsers, user agents or app versions.
- The primary focus of the NestForms Bug Bounty program applies to nestforms.com, www.nestforms.com and s3-eu-west-1.amazonaws.com/files.nestforms.com domains only.
We may (circumstances depending) accept bounty reports to related domains (staging.nestforms.com, analytics.nestfoms.com, ...) but it must be stressed that they are not the primary focus of the Bug Bounty program and do not contain critical client data. As a result the accepted bounties are lower than main domain bugs that are found and reported. NestForms does not include or accept responsibility for any third party associations with NestForms.com. - For the protection of our customers, NestForms requests that you not post or share any data regarding potential vulnerabilities on other public platforms until NestForms have investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
- We require that you operate within the guidelines of our Terms & Conditions.
- Always use email addresses that belong to you. Violations of this rule may end up in a reduced or no bounty reward due to potential damage to our business offering.
- Our Staging server has disabled sending emails, therefore some of the features are not available (e.g.: invite members by email, email triggers, forgot password, confirm email, etc.).
Reports excluded from the Bug Bounty program #
We are aware of several niche areas that might be considered as a vulnerability, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to NestForms, so please do not report these issues:
- Denial of Service (DoS) attacks.
- Distributed Denial of Service (DDoS) attacks.
- Any variant of Phishing or Social Engineering.
- Any physical action outside the realm of a web based attack.
- Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in free for a short period of time eg. number of shared relations within a form, already uploaded images, responses that already exist in their master account.
- Finding the ID of any record without revealing any private information, updating or deleting the record.
- Double extension uploaded files without proof of exploit.
- Non validation of emails is a business decision where we allow any user to create an account without email confirmation in order to maintain a simplicity of use.
- More precise messages on whether the email already exists in our database (within forgot password, registrations, etc) is a NestForms business decision. We are limiting the number of tries for these occasions which are effectively blocking our database scanning. BTW: a similar concept is applied by google as well.
- We are not responsible for third party software that may or may not be associated with NestForms (eg analytics.nestforms.com).
- Any unrelated vulnerabilities that cannot be exploited within the NestForms platform.
- Android or iOS NestForms app.
How to submit a bug report #
Please review our guidelines below in order to assist you when submitting an effective bug report:
- Give a short clear description summarising the issue you have found.
- Information on how you uncovered and exploited the issue.
- Proof of how the issue can be exploited to work against the NestForms platform.
- Please describe the impact of how an attacker could exploit the reported issue in order to show how it would affect our operations.
- Any other information and attachments such as screenshots or videos showing the threat or vulnerability that you would consider helpful.
- Any information you believe pertinent with regards to device or platform is welcome.
The guidelines above are not comprehensive and the awarding of bounties are very much based on how accurate the reporting of the vulnerability may be. So please remember to be precise in your submission, it can take time for issues to be investigated so reports that are unclear or vague may not be considered.
For submission, please use our secure submission described in .well-known/security.txt on our website. Or alternatively you can use our contact form.
What to expect from NestForms #
- We will acknowledge receipt of your submission as soon as possible.
- We will not be able to reward any reported findings immediately as we will have to carry out our own investigation into the issue. We always aim to respond within one week.
- We can only award one bounty per issue reported.
- The first clear bug report will receive the finders award in case there have been multiple submissions on the same issue.
- To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan & Syria). NestForms reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
- Please be patient once you have submitted your report. We make every effort to check all reports very carefully. Depending on levels of activity, it can take between 1-5 working days for our team to respond to your submission. The same applies to any follow up email thread. Excessive follow up emails may end up causing a reduced bounty due to additional workload for our support team. However, if we have not responded within 7 days. Do resend your request.
- When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account in order to transfer money via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by NestForms.
Hall of Fame #
We are grateful for the assistance given by the following Bug Bounty Hunters:
Name | Bug Description |
---|---|
Tushar Vyas October 2024 |
HTML injection within Quick Links manage lightbox. Potential attackers could view Quick Links of other users. Form Trigger save incorrectly validated Form permissions allowing to inject Trigger. Session was not refreshed correctly if the user removes Form Edit permission from themselves. Export settings have inconsistent permissions. Trigger detail was visible in the API response. |
Kunal Rajendra Patil September 2024 |
Form builder did not force login when the user logged out but via the click back within the browser. Missing account deletion email, other sessions should be notified of the account deletion. |
callgh0st September 2024 |
Member cached storage size was not decremented when removing response. Old Event editor incorrectly displayed the form as deleted. Some old users still had @ in the username. Help page incorrectly described Responder access as editable. Incorrectly cached value for response file upload permission. Shared forms page displayed certain data that the responder should not be able to see. After reverting a deleted form, images remained marked as deleted. |
callgh0st August 2024 |
Users cannot restore a relation if both send an ignore request. A user registered by another user should not be discoverable until the user logs in. Deleted members visible when sharing forms. Shared forms from deleted users are still visible. |
callgh0st July 2024 |
Cached storage size incorrectly changed when removing response image. Group Admin can add a removed relation to master account. Potential ability to scan users using email domains and last letters of the email name. Cached storage size incorrectly changed if all files are removed. Relation groups can be assigned after trial expires. Removed group admin can still promote relations to master account. |
Tushar Vyas July 2024 |
Html injection in VIP trusted domains error message. |
Suraj Gupta June 2024 |
Certain user details could be externally available through a potential data breach. |
callgh0st and Sumit June 2024 |
File upload incorrectly validates form permissions. File upload incorrectly validates inactive form. |
Suvendu Dash June 2024 |
Brand save rate limit not applied correctly. Limit not enforced for triggers. Old Events not checking maximum number of responses. |
Mohammed Athif April 2024 |
File upload ignores validation rules. |
pushpraj patil April 2024 |
Missing proper value validation when editing response items. |
Rajeev Suyambu April 2024 |
After finish text HTML injection was possible because src was not validated. Response for public form can be edited after submission as long as the token is valid. |
Darshan Jogi March 2024 |
VIP Sections trusted domains do not have limits. Password can be changed to be the same as username if username and email do not match. |
Soham Gidwani March 2024 |
Member with only Form Edit permissions could self elevate permissions. Delete custom PDF definition from other users. Responder with edit access can edit other response items. Ability to delete CustomDB groups of other users. API does not correctly validate responder access. |
Tushar Vyas March 2023 |
Html injection in Custom DB match merge filter. Html injection in Trigger email error message. |
Deepak Kumar March 2024 |
Finish screen custom public link url and public link delay not sufficiently validated. |
Manthan Mahale March 2024 |
Group Approve results permission incorrectly validated. |
Rajeev Suyambu January 2024 |
Reflected XSS in settings_excel_export_flat when CSP is disabled. Email verification token visible in members_emails requests. |
Christian Guavez December 2023 |
README.md can be accessed from the web. |
Suvendu Dash December 2023 |
Add additional CORS headers. |
Christian Guavez December 2023 |
Limit string lengths for texts within the Response Fill. |
Rushikesh Kaware December 2023 |
Archived forms should not be answered. |
Rajeev Suyambu November 2023. |
Activation tokens visibility discovered during Triggers save. |
Animesh Mallick October 2023 |
XSS over Request filter parameter on Reports page. |
Dipak khobarkhede October 2023 |
Ability to accept rejected friendship without rights. Edit a response after Responder edit was revoked. |
Bhargav Hede October 2023 |
Disclose hidden response field content to client. Client should not see Response log changes. |
Rajeev Suyambu October 2023 |
Self DB Html XSS injection in event creation page. Send test trigger email to an unverified email address. Self DB Html injection within Trigger list. |
Bhargav Hede September 2023 |
Confirm friendship when updating the Response name. Hide debug information when saving a response. Ability to set form.dispatch_edit member without permissions for Dispatches. |
Yogesh Bhandage September 2023 |
Validation of notifications set as read. Responder should not be able to edit rejected responses. Limit number of created responses. Only admins can change the form status. Show edit options displayed private form information without permissions. |
Sachin Kalkumbe September 2023 |
Applied new settings for the TLS-RPT email reporting. |
Amol Verma (Dingus) September 2023 |
HTML injection discovered in api/authorize. Access control to Custom DB file upload to be applied. |
Vibhor Sharma August 2023 |
A small sample of user details were intercepted on phonebook.cz. |
Rajeev Suyambu August 2023 |
Self DB html injection discovered within the PDF export image, Trigger list and Custom PDF Builder Tree view. Potential ability to delete custom PDF definition from other users. |
Rajeev Suyambu July 2023 |
HTML injection in Brand VIP area. Self HTML injection in send VIP email. HTML injection in Assign Member to a group popup. Ability to read form definition from imported excel. Access to unshared form detail (api). Relation had access to url_access_hash & password through api. VIP Area: ZIP files from non-approved responses. Prevent clone_hash spoofing in Form Builder. Self DB HTML injection within form name. Apply CSRF token to CustomDB import. |
Yogesh Bhandage July 2023 |
Invitation and Trigger emails are missing a canonical email check (+1@gmail.com). Ability to delete a relations brand image. |
Yogesh Bhandage June 2023 |
Update access_limit in realtime for responses that are over the limit. Finished responses should not be deleted directly. |
Roshan Bhosle May 2023 |
Activation tokens should not be displayed in the back end. |
Yogesh Bhandage May 2023 |
Rejected friendship should not be able to submit a response. Deleted forms should not be able to submit a response. |
Ashutosh Rimal May 2023 |
Secure iframes for VIP Section. |
Mr. Sahil Relekar May 2023 |
Ability to display and undelete the custom DB. |
Bhargav Hede May 2023 |
Resending a different Name of the Response does not display the log icon. API access should be blocked for free users. Breaking JSON structure on POST could potentially reveal some internal paths in the error message. |
Shivam Kumar Singh February 2023 |
Takeover session from email management system. |
Nikhil Kumar February 2023 |
VIP Access export response to Word without approval. Responder with Read access can see responses outside permissions. |
Suvendu Dash February 2023 |
Add rate limit on change email facility to prevent spamming. |
Uddeshaya Srivastava February 2023 |
Disallow ampersands from forename and surname. |
Tushar Vyas January 2023 |
api-example - cannot update custom DB. Event deletion misleading message. |
Tarun Garg January 2023 |
Edit profile only via POST requests. |
Pratik Suresh Karan January 2023 |
Inject trigger to victim account. Update validation of Form url access hash. |
Chetan Rajpurohit December 2022 |
MS Excel potential hack using Custom DB export. |
Rajeev Suyambu December 2022 |
HTML injection form edit autocapture autocomplete. |
Manthan Mahale December 2022 |
Ability to add a section to a related form without permission. Image gallery managing over quota images. |
Tushar Vyas September 2022 |
Ability to update Custom DB filter when custom DB is already deleted. Rename Privacy Status to Discoverability. Event page potential fill after unsharing the member. Ability to save an already existing VIP url hash. Force user to change password after first login. HTML injection in Custom DB charts. HTML injection in api-example domain. |
Veerla Saikumar September 2022 |
XSS token in application delete request to be sent via POST. Limit the character length on Chart settings. |
Manthan Mahale September 2022 |
Typo in HTTP Header Feature-Policy. Footer registration form not working correctly. Unauthorised read access to Responses within a shared form. Ability to approve Responses within groups without permission. |
Rushikesh Kaware August 2022 |
Proposed local storage encryption enhancements. |
Ei Thwe August 2022 |
Inform original email address when changing the email. Sanitise profile on save to session. |
Mr. Sahil Relekar August 2022 |
Ability to delete the custom DB item from victim. |
Tushar Vyas August 2022 |
HTML Validate form excel import. HTML Validate Custom DB table import. HTML Validate Flat Export settings. displayMessage(): HTML Injection via crafted response name on the Fill Page Finish & New. Form setting custom url_access_hash without checks for existing ones. Deleted form should not be cloned. Ability to see the form name via the event_id. |
Suvendu Dash August 2022 |
Missing secure flag on session cookie connect.sid an analytics domain. |
Uddeshaya Srivastava August 2022 |
Change email contained confirmation link to new email address. |
Manthan Mahale August 2022 |
Force a refresh of the member session when changing groups. Displayed ability to modify Responses outside the group (when having group_approve_results). |
Shreyas Koli July 2022 |
Disable uploading files for finished web responses. |
Veerla Saikumar July 2022 |
Hide PHPMailer version from emails. When validating a field for multiple errors - stop after the first error. Above the fold clickjacking. FTP Version and OS name disclosure on analytics IP. |
Ashish Sharma July 2022 |
Free subscription allowed form items to be added in excess of the limit. Library files should not be private until shared. API - Custom DB data without fully checking permissions. Bruteforce signature and audio uploaded via website. API application available to user types outside their subscription base. Responder permission access needs to be fully checked on response level. |
DilipKumar June 2022 |
Newsletter subscribe with user code. |
ashwani kutiyal June 2022 |
Email verification code doesn't change if used within the same email. |
Tushar Vyas June 2022 |
Deleted responses on the responses page could potentially lead to HTML injection via the Response name. |
Zweizack June 2022 |
XSS on custom PDF. |
Suvendu Dash June 2022 |
Limit maximum amount of characters for Member group notes. Limit number of lines in the invitation email. Set new rate limit for changing username. VUE potential plugin vulnerability. CSP header missing the base-uri. CSP & Permission Policy Missing on analytics. Missing Secure or HTTPOnly Cookie Flag Session on staging. Server Version Number Disclosing on staging. Exposed Server software version - Error pages. Staging was sending emails when it should not. Staging SSL Certificate. |
Dhruvin Shah June 2022 |
Tabnabbing |
Manthan Mahale March 2022 |
START TRIAL NOW button should display a register popup page. When forgot password has processed, partially clear the login rate limit for that account. |
Ali May 2022 |
Excessive length usernames jumping below the right column on the profile page. |
Yash May 2022 |
Analytics should not appear on the IP only. |
Ashutosh Nath Rimal May 2022 |
Prevent the registration @anything.nestforms.com email addresses. Check permissions before downloading cache reports. Open Google API key was presented in the javascript comments. |
Sai Teja May 2022 |
Add a rate limit for the approve_members_emails function. |
Shreyas Koli May 2022 |
Block registration of something@NestForms.com email. Username - server validation for invalid characters. Disable autocomplete for Branding password. Securing username when inviting a relation. Enahnce member groups validation. Reopening a mutually rejected friendship - invalid statuses. Server side validation for the Form fill page. Potential deletion of a finished response by a responder. A responder could potentially update a finished response. Discovered a potential threat of spamming within instant trigger emails. |
Deepak Kumar May 2022 |
Setting FTP - XSS iframe. Potentially insecure wordpress installation. |
Raajesh - Infoziant Security May 2022 |
Add sp for subdomains into DMARC. |
Dhruvin Shah April 2022 |
Api / members - hiding emails (and username) when invitation sent. |
Manthan Mahale April 2022 |
Re-enabling a relationship could potentially assign more shares to a form over the set limit. Ability to heavy misuse the form count by closing and opening forms. Update the message about deleting forms. Brand VIP send email bug. Phone number limit to valid characters. |
Ashutosh Rimal April 2022 |
Restricting the rate limit on password resending instructions. |
Ranjeet (geekboyranjeet) May 2022 |
Inject html to self in a trigger validation email. |
S Rahul (@7srambo) April 2022 |
CURL request on 404 html reflection. Disable weak TLS 1.2 Cipher Suites. Fix styles for the “remove czech diacritics” page. |
Vasanth(vasi) April 2022 |
Prevent from registering @nestforms.com email addresses. |
TechMedia YT April 2022 |
Registration email is not sending the username. |
Veerla Saikumar March 2022 |
Blocking a user from reusing a session in a different browser. |
Manthan Mahale March 2022 |
Profile change username remove ajax validation. Revoked relation could not revoke. Staging server does not downgrade the account. Password protection on account undelete. Apply proper limits in sharing events and edit member groups. Ability to share events with non related members. Impossible reactive form when on the form limit count. Staging site missing pages for changing username, email, password. Incorrect delete account date calculation on profile page. Refresh session when permissions are changed. |
Anumula Naveen Kumar March 2022 |
Some older profile files identified with guessable URLs. |
Yogesh Bhandage March 2022 |
Bruteforce password check without rate limit. |
Ali March 2022 |
Found unrestricted API Keys. |
Uddeshaya Srivastava March 2022 |
SPF to be set as -all instead of ~all. |
Gunda Shiva Kumar March 2022 |
Reset Password can compromise an account after a password change. Contact form - cache control. Limit message characters on Invitation form and Contact us form. |
Gaurav Dalal February 2022 |
Remove metadata within PNG Files. |
Roshan Bhosle February 2022 |
Registration account takeover when username and email differs. Prevent using email as the username. |
bug hunter 5213 February 2022 |
Inform the user by email when changing the password. Content spoofing on contact us via What-s-this-about. |
Darshan Jogi January 2022 |
Password input field should have autocomplete=off |
Kshitiz Raj January 2022 |
Potential open location redirect after login. |
Fauzi Bariq Mahya January 2022 |
Repeating the request to oauth block the user displaying the profile page. |
Mahendra Mahale January 2022 |
Missing rate limit on change username and email in profile page. |
Manthan Mahale January 2022 |
Ability to unlock the custom DB feature on a free account. Ability to share my relation to an unrelated form. Push custom text to payment type in contact email. Ability to send an invitation to users based on ID. Restrict the name of the sender in trigger email invitation email. Ability to share form with non relation. Free subscription user should not share permissions for group_approve_results. Staging server did not allow the file upload. Proof of allowing a trial user to unlock additional paid modules. |
Phyo Ko January 2022 |
Limit the password length within forgot password. |
Ashish Sharma January 2022 |
Brute force scanning API relations files. Ability to see the form structure via the old event fill page. |
Ashish Sharma December 2021 |
Ability to share the form with a non relation in the relations page. Ability to promote relations without prior approval. Cannot delete an uploaded image via web response. Free plan users could create a new user group. |
Hakerbaya December 2021 |
Display the username of an unrelated user. Ability to manipulate Custom DB group data without permissions. Disclose an unrelated form name in the Trigger save error message. Ability to insert charts and filter settings to an unrelated account. Display unrelated notifications. Disclosure of internal server path in error message. |
Virang Rajyaguru December 2021 |
Sanitize the page query parameter on the api example domain. |
Ashish Sharma November 2021 |
Disable empty scope for oauth validation. |
Sajibe Kanti November 2021 |
Image preview with excessive size potentially leading to Denial of Service. Enforce a new password when changing old password. msg query parameter should be ignored. |
Himanshu November 2021 |
phpmyadmin viewable on frontend. |
Darshan Jogi November 2021 |
Ability to override cookie based on the URL parameter. |
Rohan Agarwal September 2021 |
Apps incorrectly managing invalidated tokens. |
Aryan September 2021 |
Sanitize the user forename in the emails submitted by NestForms. |
Rishabh October 2021 |
Ability to send invitation email and forget password email over the approved limit. Create a new page to manage all current connections (web and app). |
Abdeali October 2021 |
Add CAA DNS record for domain nestforms.com. Apply DNSSEC for nestforms.com domain. Strip https:// from invitation email as gmail is displaying as a link. X-Content-Type-Options needs to be applied |
Sai Teja October 2021 |
Possible to bruteforce a guess email from the Registration page without javascript. |
Amaranath Moger October 2021 |
Guessable filenames in cache_reports. |
Aniket Deshmane October 2021 |
Page HTML injection from URL on Reports page. Staging server displayed the directories and log files. |
Krishna Chaitanya N September 2021 |
As logout should be a post Request. Applied HTTP_ACCEPT headers checking. |
Prajit Sindhkar September 2021 |
Found accessible ports on the analytics.nestforms.com domain. |
Swapnil Bobale October 2021 |
Domain analytics.nestforms.com has to force https protocol. Added a Content Security Policy and SSL cookies secure flag on analytics.nestforms.com. Force a http redirect on NestForms IP Address. |
Kunal October 2021 |
Avoid 1-to-1 usage of personal information as the account password. |
Aniket Deshmane September 2021 |
Ability to change the brand image. Remove EXIF information from the files. |
Darshan Jogi September 2021 |
Displaying files that should not be accessible on the API test domain. Apply correctly the HSTS headers and add NestForms to the hstspreload.org site. Ability to guess the password when logged in using bruteforce. Review the Password Reset code expiration on email Change. Appearance of a class that looks like ID in the HTML source code. Generated thumbnails that are not deleted with files (eg profile images). Add the password protection on account deletion. |
Adnankhan Pathan September 2021 |
Ability to save and display VIP without paying for Premium account. Potential to create a Trigger or Custom DB on smaller subscriptions. Redirect user to incorrect domain after API remote-login. |
Anirudh Makkar July 2021 |
Found loophole in creating more forms than his plan should allow, which also affected Triggers and the custom DB import). Not limiting the file upload within a short period of time. Discovered potentially discoverable URL for images. |
Ronit Bhat June 2021 |
Redirect after login should not display any other domain other than NestForms. |
Kader Mouaz June 2021 |
Forename as HTML + exploit via sending the confirmation email. VUE HTML injection in fill page (when the Form owner edits a response from the Responder). Android app - security keys need to be fully encrypted. |
Pratik Khalane July 2021 |
Potentially spamming users with the forgot password invitation email. |
Virendra Tiwari June 2021 |
Email domain to be secured with DMARC. The staging server displaying the Apache version. |
Deepak Sharma June 2021 |
Found how to steal a cookie in our mail support platform via Contact us form. |
Daksh Bhayana June 2021 |
Found a potential XSS vulnerability in the site map page. |
Anirudh Makkar June 2021 |
Found a bug that allowed users to submit an invitation email that included HTML. Found unrestricted Google maps API key, Potentially dangerous CSV injection while exporting responses, HTML injection in msg request parameter. |
Pratik Khalane June 2021 |
Found several URL links in Sitemanager and staging server that should not have been available to public visitors. |
Prajit Sindhkar May 2021 |
Found a bug with a potential account takeover when using the forgot password function, A related bug with the forgot password function sending too many emails and a potential flaw with changing password. |
Romel Lanza August 2020 |
Found a bug with managing members groups - reading and deleting groups without permissions. |
Captes July 2020 |
Issues with uploading XLSX custom DB file that could be processed by PHP scripts. |
Captes July 2020 |
Issues with SQL injection in the Relations page. |