The Bug Bounty program is paused until September.
Due to the Summer holidays and collective annual leave of our development team, the Bug Bounty program will be on a short hiatus until the 1st of September 2023.
You can feel free to submit any vulnerabilities in the meantime, but our response time will be greatly reduced until September.
Interested in helping NestForms improve security?
At NestForms we take the security of our service very seriously. On a regular basis we perform many test and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.
As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the NestForms platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of NestForms. We will also pay an award based on the level of threat and critical nature of the problem.
Severity level #
For those who have taken the time to reveal potential vulnerabilities within our platform we will pay a bounty loosely based on the following pricing template:
Critical | €800.00 |
High | €200.00 |
Medium | €100.00 |
Low | €40.00 |
Bug Bounty Rules #
When you are testing, please follow these rules:
- Any testing must be limited to a maximum of one request per second to prevent the potential overload of the NestForms service.
- We do not allow BugBounty hunters to download database content. A list of the tables is enough for proof of concept.
- You will need to create a NestForms account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
- We do not accept bugs that affect outdated browsers, user agents or app versions.
- The primary focus of the NestForms Bug Bounty program applies to nestforms.com, www.nestforms.com and s3-eu-west-1.amazonaws.com/files.nestforms.com domains only.
We may (circumstances depending) accept bounty reports to related domains (staging.nestforms.com, analytics.nestfoms.com, ...) but it must be stressed that they are not the primary focus of the Bug Bounty program and do not contain critical client data. As a result the accepted bounties are lower than main domain bugs that are found and reported. NestForms does not include or accept responsibility for any third party associations with NestForms.com. - For the protection of our customers, NestForms requests that you not post or share any data regarding potential vulnerabilities on other public platforms until NestForms have investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
- We require that you operate within the guidelines of our Terms & Conditions.
- Always use email addresses that belong to you. Violations of this rule may end up in a reduced or no bounty reward due to potential damage to our business offering.
- Our Staging server has disabled sending emails, therefore some of the features are not available (e.g.: invite members by email, email triggers, forgot password, confirm email, etc.).
Reports excluded from the Bug Bounty program #
We are aware of several niche areas that might be considered as a vulnerability, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to NestForms, so please do not report these issues:
- Denial of Service (DoS) attacks.
- Distributed Denial of Service (DDoS) attacks.
- Any variant of Phishing or Social Engineering.
- Any physical action outside the realm of a web based attack.
- Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in free for a short period of time eg. number of shared relations within a form, already uploaded images, responses that already exist in their master account.
- Finding the ID of any record without revealing any private information, updating or deleting the record.
- Double extension uploaded files without proof of exploit.
- Non validation of emails is a business decision where we allow any user to create an account without email confirmation in order to maintain a simplicity of use.
- More precise messages on whether the email already exists in our database (within forgot password, registrations, etc) is a NestForms business decision. We are limiting the number of tries for these occasions which are effectively blocking our database scanning. BTW: a similar concept is applied by google as well.
- Creating multiple NestForms accounts using one Gmail account (eg: using a plus symbol in the email address).
- We are not responsible for third party software that may or may not be associated with NestForms (eg analytics.nestforms.com).
- Android or iOS NestForms app.
How to submit a bug report #
Please review our guidelines below in order to assist you when submitting an effective bug report:
- Give a short clear description summarising the issue you have found.
- Information on how you uncovered and exploited the issue.
- Proof of how the issue can be exploited to work against the NestForms platform.
- Please describe the impact of how an attacker could exploit the reported issue in order to show how it would affect our operations.
- Any other information and attachments such as screenshots or videos showing the threat or vulnerability that you would consider helpful.
- Any information you believe pertinent with regards to device or platform is welcome.
The guidelines above are not comprehensive and the awarding of bounties are very much based on how accurate the reporting of the vulnerability may be. So please remember to be precise in your submission, it can take time for issues to be investigated so reports that are unclear or vague may not be considered.
For submission, please use our secure submission described in .well-known/security.txt on our website. Or alternatively you can use our contact form.
What to expect from NestForms #
- We will acknowledge receipt of your submission as soon as possible.
- We will not be able to reward any reported findings immediately as we will have to carry out our own investigation into the issue. We always aim to respond within one week.
- We can only award one bounty per issue reported.
- The first clear bug report will receive the finders award in case there have been multiple submissions on the same issue.
- To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan & Syria). NestForms reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
- Please be patient once you have submitted your report. We make every effort to check all reports very carefully. Depending on levels of activity, it can take between 1-5 working days for our team to respond to your submission. The same applies to any follow up email thread. Excessive follow up emails may end up causing a reduced bounty due to additional workload for our support team. However, if we have not responded within 7 days. Do resend your request.
- When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account in order to transfer money via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by NestForms.
Hall of Fame #
We are grateful for the assistance given by the following Bug Bounty Hunters:
Name | Bug Description |
---|---|
Roshan Bhosle May 2023 |
Activation tokens should not be displayed in the back end. |
Yogesh Bhandage May 2023 |
Rejected friendship should not be able to submit a response. Deleted forms should not be able to submit a response. |
Ashutosh Rimal May 2023 |
Secure iframes for VIP Section. |
Mr. Sahil Relekar May 2023 |
Ability to display and undelete the custom DB. |
Bhargav Hede May 2023 |
Resending a different Name of the Response does not display the log icon. API access should be blocked for free users. Breaking JSON structure on POST could potentially reveal some internal paths in the error message. |
Shivam Kumar Singh February 2023 |
Takeover session from email management system. |
Nikhil Kumar February 2023 |
VIP Access export response to Word without approval. Responder with Read access can see responses outside permissions. |
Suvendu Dash February 2023 |
Add rate limit on change email facility to prevent spamming. |
Uddeshaya Srivastava February 2023 |
Disallow ampersands from forename and surname. |
Tushar Vyas January 2023 |
api-example - cannot update custom DB. Event deletion misleading message. |
Tarun Garg January 2023 |
Edit profile only via POST requests. |
Pratik Suresh Karan January 2023 |
Inject trigger to victim account. Update validation of Form url access hash. |
Chetan Rajpurohit December 2022 |
MS Excel potential hack using Custom DB export. |
Rajeev Suyambu December 2022 |
HTML injection form edit autocapture autocomplete. |
Manthan Mahale December 2022 |
Ability to add a section to a related form without permission. Image gallery managing over quota images. |
Tushar Vyas September 2022 |
Ability to update Custom DB filter when custom DB is already deleted. Rename Privacy Status to Discoverability. Event page potential fill after unsharing the member. Ability to save an already existing VIP url hash. Force user to change password after first login. HTML injection in Custom DB charts. HTML injection in api-example domain. |
Veerla Saikumar September 2022 |
XSS token in application delete request to be sent via POST. Limit the character length on Chart settings. |
Manthan Mahale September 2022 |
Typo in HTTP Header Feature-Policy. Footer registration form not working correctly. Unauthorised read access to Responses within a shared form. Ability to approve Responses within groups without permission. |
Rushikesh Kaware August 2022 |
Proposed local storage encryption enhancements. |
Ei Thwe August 2022 |
Inform original email address when changing the email. Sanitise profile on save to session. |
Mr. Sahil Relekar August 2022 |
Ability to delete the custom DB item from victim. |
Tushar Vyas August 2022 |
HTML Validate form excel import. HTML Validate Custom DB table import. HTML Validate Flat Export settings. displayMessage(): HTML Injection via crafted response name on the Fill Page Finish & New. Form setting custom url_access_hash without checks for existing ones. Deleted form should not be cloned. Ability to see the form name via the event_id. |
Suvendu Dash August 2022 |
Missing secure flag on session cookie connect.sid an analytics domain. |
Uddeshaya Srivastava August 2022 |
Change email contained confirmation link to new email address. |
Manthan Mahale August 2022 |
Force a refresh of the member session when changing groups. Displayed ability to modify Responses outside the group (when having group_approve_results). |
Shreyas Koli July 2022 |
Disable uploading files for finished web responses. |
Veerla Saikumar July 2022 |
Hide PHPMailer version from emails. When validating a field for multiple errors - stop after the first error. Above the fold clickjacking. FTP Version and OS name disclosure on analytics IP. |
Ashish Sharma July 2022 |
Free subscription allowed form items to be added in excess of the limit. Library files should not be private until shared. API - Custom DB data without fully checking permissions. Bruteforce signature and audio uploaded via website. API application available to user types outside their subscription base. Responder permission access needs to be fully checked on response level. |
DilipKumar June 2022 |
Newsletter subscribe with user code. |
ashwani kutiyal June 2022 |
Email verification code doesn't change if used within the same email. |
Tushar Vyas June 2022 |
Deleted responses on the responses page could potentially lead to HTML injection via the Response name. |
Zweizack June 2022 |
XSS on custom PDF. |
Suvendu Dash June 2022 |
Limit maximum amount of characters for Member group notes. Limit number of lines in the invitation email. Set new rate limit for changing username. VUE potential plugin vulnerability. CSP header missing the base-uri. CSP & Permission Policy Missing on analytics. Missing Secure or HTTPOnly Cookie Flag Session on staging. Server Version Number Disclosing on staging. Exposed Server software version - Error pages. Staging was sending emails when it should not. Staging SSL Certificate. |
Dhruvin Shah June 2022 |
Tabnabbing |
Manthan Mahale March 2022 |
START TRIAL NOW button should display a register popup page. When forgot password has processed, partially clear the login rate limit for that account. |
Ali May 2022 |
Excessive length usernames jumping below the right column on the profile page. |
Yash May 2022 |
Analytics should not appear on the IP only. |
Ashutosh Nath Rimal May 2022 |
Prevent the registration @anything.nestforms.com email addresses. Check permissions before downloading cache reports. Open Google API key was presented in the javascript comments. |
Sai Teja May 2022 |
Add a rate limit for the approve_members_emails function. |
Shreyas Koli May 2022 |
Block registration of something@NestForms.com email. Username - server validation for invalid characters. Disable autocomplete for Branding password. Securing username when inviting a relation. Enahnce member groups validation. Reopening a mutually rejected friendship - invalid statuses. Server side validation for the Form fill page. Potential deletion of a finished response by a responder. A responder could potentially update a finished response. Discovered a potential threat of spamming within instant trigger emails. |
Deepak Kumar May 2022 |
Setting FTP - XSS iframe. Potentially insecure wordpress installation. |
Raajesh - Infoziant Security May 2022 |
Add sp for subdomains into DMARC. |
Dhruvin Shah April 2022 |
Api / members - hiding emails (and username) when invitation sent. |
Manthan Mahale April 2022 |
Re-enabling a relationship could potentially assign more shares to a form over the set limit. Ability to heavy misuse the form count by closing and opening forms. Update the message about deleting forms. Brand VIP send email bug. Phone number limit to valid characters. |
Ashutosh Rimal April 2022 |
Restricting the rate limit on password resending instructions. |
Ranjeet (geekboyranjeet) May 2022 |
Inject html to self in a trigger validation email. |
S Rahul (@7srambo) April 2022 |
CURL request on 404 html reflection. Disable weak TLS 1.2 Cipher Suites. Fix styles for the “remove czech diacritics” page. |
Vasanth(vasi) April 2022 |
Prevent from registering @nestforms.com email addresses. |
TechMedia YT April 2022 |
Registration email is not sending the username. |
Veerla Saikumar March 2022 |
Blocking a user from reusing a session in a different browser. |
Manthan Mahale March 2022 |
Profile change username remove ajax validation. Revoked relation could not revoke. Staging server does not downgrade the account. Password protection on account undelete. Apply proper limits in sharing events and edit member groups. Ability to share events with non related members. Impossible reactive form when on the form limit count. Staging site missing pages for changing username, email, password. Incorrect delete account date calculation on profile page. Refresh session when permissions are changed. |
Anumula Naveen Kumar March 2022 |
Some older profile files identified with guessable URLs. |
Yogesh Bhandage March 2022 |
Bruteforce password check without rate limit. |
Ali March 2022 |
Found unrestricted API Keys. |
Uddeshaya Srivastava March 2022 |
SPF to be set as -all instead of ~all. |
Gunda Shiva Kumar March 2022 |
Reset Password can compromise an account after a password change. Contact form - cache control. Limit message characters on Invitation form and Contact us form. |
Gaurav Dalal February 2022 |
Remove metadata within PNG Files. |
Roshan Bhosle February 2022 |
Registration account takeover when username and email differs. Prevent using email as the username. |
bug hunter 5213 February 2022 |
Inform the user by email when changing the password. Content spoofing on contact us via What-s-this-about. |
Darshan Jogi January 2022 |
Password input field should have autocomplete=off |
Kshitiz Raj January 2022 |
Potential open location redirect after login. |
Fauzi Bariq Mahya January 2022 |
Repeating the request to oauth block the user displaying the profile page. |
Mahendra Mahale January 2022 |
Missing rate limit on change username and email in profile page. |
Manthan Mahale January 2022 |
Ability to unlock the custom DB feature on a free account. Ability to share my relation to an unrelated form. Push custom text to payment type in contact email. Ability to send an invitation to users based on ID. Restrict the name of the sender in trigger email invitation email. Ability to share form with non relation. Free subscription user should not share permissions for group_approve_results. Staging server did not allow the file upload. Proof of allowing a trial user to unlock additional paid modules. |
Phyo Ko January 2022 |
Limit the password length within forgot password. |
Ashish Sharma January 2022 |
Brute force scanning API relations files. Ability to see the form structure via the old event fill page. |
Ashish Sharma December 2021 |
Ability to share the form with a non relation in the relations page. Ability to promote relations without prior approval. Cannot delete an uploaded image via web response. Free plan users could create a new user group. |
Hakerbaya |
Display the username of an unrelated user. Ability to manipulate Custom DB group data without permissions. Disclose an unrelated form name in the Trigger save error message. Ability to insert charts and filter settings to an unrelated account. Display unrelated notifications. Disclosure of internal server path in error message. |
Virang Rajyaguru |
Sanitize the page query parameter on the api example domain. |
Ashish Sharma |
Disable empty scope for oauth validation. |
Sajibe Kanti |
Image preview with excessive size potentially leading to Denial of Service. Enforce a new password when changing old password. msg query parameter should be ignored. |
Himanshu |
phpmyadmin viewable on frontend. |
Darshan Jogi |
Ability to override cookie based on the URL parameter. |
Rohan Agarwal |
Apps incorrectly managing invalidated tokens. |
Aryan |
Sanitize the user forename in the emails submitted by NestForms. |
Rishabh |
Ability to send invitation email and forget password email over the approved limit. Create a new page to manage all current connections (web and app). |
Abdeali |
Add CAA DNS record for domain nestforms.com. Apply DNSSEC for nestforms.com domain. Strip https:// from invitation email as gmail is displaying as a link. X-Content-Type-Options needs to be applied |
Sai Teja |
Possible to bruteforce a guess email from the Registration page without javascript. |
Amaranath Moger |
Guessable filenames in cache_reports. |
Aniket Deshmane |
Page HTML injection from URL on Reports page. Staging server displayed the directories and log files. |
Krishna Chaitanya N |
As logout should be a post Request. Applied HTTP_ACCEPT headers checking. |
Prajit Sindhkar |
Found accessible ports on the analytics.nestforms.com domain. |
Swapnil Bobale |
Domain analytics.nestforms.com has to force https protocol. Added a Content Security Policy and SSL cookies secure flag on analytics.nestforms.com. Force a http redirect on NestForms IP Address. |
Kunal |
Avoid 1-to-1 usage of personal information as the account password. |
Aniket Deshmane |
Ability to change the brand image. Remove EXIF information from the files. |
Darshan Jogi |
Displaying files that should not be accessible on the API test domain. Apply correctly the HSTS headers and add NestForms to the hstspreload.org site. Ability to guess the password when logged in using bruteforce. Review the Password Reset code expiration on email Change. Appearance of a class that looks like ID in the HTML source code. Generated thumbnails that are not deleted with files (eg profile images). Add the password protection on account deletion. |
Adnankhan Pathan |
Ability to save and display VIP without paying for Premium account. Potential to create a Trigger or Custom DB on smaller subscriptions. Redirect user to incorrect domain after API remote-login. |
Anirudh Makkar |
Found loophole in creating more forms than his plan should allow, which also affected Triggers and the custom DB import). Not limiting the file upload within a short period of time. Discovered potentially discoverable URL for images. |
Ronit Bhat |
Redirect after login should not display any other domain other than NestForms. |
Kader Mouaz |
Forename as HTML + exploit via sending the confirmation email. VUE HTML injection in fill page (when the Form owner edits a response from the Responder). Android app - security keys need to be fully encrypted. |
Pratik Khalane |
Potentially spamming users with the forgot password invitation email. |
Virendra Tiwari |
Email domain to be secured with DMARC. The staging server displaying the Apache version. |
Deepak Sharma |
Found how to steal a cookie in our mail support platform via Contact us form. |
Daksh Bhayana |
Found a potential XSS vulnerability in the site map page. |
Anirudh Makkar |
Found a bug that allowed users to submit an invitation email that included HTML. Found unrestricted Google maps API key, Potentially dangerous CSV injection while exporting responses, HTML injection in msg request parameter. |
Pratik Khalane |
Found several URL links in Sitemanager and staging server that should not have been available to public visitors. |
Prajit Sindhkar |
Found a bug with a potential account takeover when using the forgot password function, A related bug with the forgot password function sending too many emails and a potential flaw with changing password. |
Romel Lanza August 2020 |
Found a bug with managing members groups - reading and deleting groups without permissions. |
Captes July 2020 |
Issues with uploading XLSX custom DB file that could be processed by PHP scripts. |
Captes July 2020 |
Issues with SQL injection in the Relations page. |