Interested in helping NestForms improve security?
At NestForms we take the security of our service very seriously. On a regular basis we perform many test and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.
As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the NestForms platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of NestForms. We will also pay an award based on the level of threat and critical nature of the problem.
Severity level #
For those who have taken the time to reveal potential vulnerabilities within our platform we will pay a bounty loosely based on the following pricing template:
Bug Bounty Rules #
When you are testing, please follow these rules:
- Any testing must be limited to a maximum of one request per second to prevent the potential overload of the NestForms service.
- We do not allow BugBounty hunters to download database content. A list of the tables is enough for proof of concept.
- You will need to create a NestForms account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
- We do not accept bugs that affect outdated browsers, user agents or app versions.
- The NestForms Bug Bounty program only applies to nestforms.com, www.nestforms.com and s3-eu-west-1.amazonaws.com/files.nestforms.com domains.
NestForms does not include or accept responsibility for any third party associations with NestForms.com.
- For the protection of our customers, NestForms requests that you not post or share any data regarding potential vulnerabilities on other public platforms until NestForms have investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
- We require that you operate within the guidelines of our Terms & Conditions.
Reports excluded from the Bug Bounty program #
We are aware of several niche areas that might be considered as a vulnerability, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to NestForms, so please do not report these issues:
- Denial of Service (DoS) attacks.
- Distributed Denial of Service (DDoS) attacks.
- Any variant of Phishing or Social Engineering.
- Any physical action outside the realm of a web based attack.
- Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in free for a short period of time eg. number of shared relations within a form, already uploaded images, responses that already exist in their master account.
- Finding the ID of any record without revealing any private information, updating or deleting the record.
- Double extension uploaded files without proof of exploit.
How to submit a bug report #
Please review our guidelines below in order to assist you when submitting an effective bug report:
- Give a short clear description summarising the issue you have found.
- Information on how you uncovered and exploited the issue.
- Proof of how the issue can be exploited to work against the NestForms platform.
- Please describe the impact of how an attacker could exploit the reported issue in order to show how it would affect our operations.
- Any other information and attachments such as screenshots or videos showing the threat or vulnerability that you would consider helpful.
- Any information you believe pertinent with regards to device or platform is welcome.
The guidelines above are not comprehensive and the awarding of bounties are very much based on how accurate the reporting of the vulnerability may be. So please remember to be precise in your submission, it can take time for issues to be investigated so reports that are unclear or vague may not be considered.
For submission, please use our secure submission described in .well-known/security.txt on our website. Or alternatively you can use our contact form.
What to expect from NestForms #
- We will acknowledge receipt of your submission as soon as possible.
- We will not be able to reward any reported findings immediately as we will have to carry out our own investigation into the issue. We always aim to respond within one week.
- We can only award one bounty per issue reported.
- The first clear bug report will receive the finders award in case there have been multiple submissions on the same issue.
- To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan & Syria). NestForms reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
- Please be patient once you have submitted your report. We are unable to reply to repeated requests for updates. We will acknowledge your submission and will contact you after investigation.
- When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account in order to transfer money via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by NestForms.
Hall of Fame #
We are grateful for the assistance given by the following Bug Bounty Hunters:
|Found loophole in creating more forms than his plan should allow, which also affected Triggers and the custom DB import). Not limiting the file upload within a short period of time. Discovered potentially discoverable URL for images.|
|Redirect after login should not display any other domain other than NestForms.|
|Forename as HTML + exploit via sending the confirmation email. VUE HTML injection in fill page (when the Form owner edits a response from the Responder). Android app - security keys need to be fully encrypted.|
|Potentially spamming users with the forgot password invitation email.|
|Email domain to be secured with DMARC. The staging server displaying the Apache version.|
|Found how to steal a cookie in our mail support platform via Contact us form.|
|Found a potential XSS vulnerability in the site map page.|
|Found a bug that allowed users to submit an invitation email that included HTML. Found unrestricted Google maps API key, Potentially dangerous CSV injection while exporting responses, HTML injection in msg request parameter.|
|Found several URL links in Sitemanager and staging server that should not have been available to public visitors.|
|Found a bug with a potential account takeover when using the forgot password function, A related bug with the forgot password function sending too many emails and a potential flaw with changing password.|
|Found a bug with managing members groups - reading and deleting groups without permissions.|
|Issues with uploading XLSX custom DB file that could be processed by PHP scripts|
|Issues with SQL injection in the Relations page|