placeB (Vulnerability Disclosure Program)
Beschreibung
placeB AG is committed to ensuring the security of their users by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities.
placeB provides self-storage facilities at over 25 locations in Switzerland. The process from booking to physical access to the storage room is fully digitalised: the customer books his storage box online, downloads an app on his smartphone and uses it to open all the doors to his personal storage box. placeB's IT infrastructure includes an IoT solution which manages all remote self-storage centres and controls access to the storage units.
Regeln
placeB AG operates various services (platforms, services). But only services from explicitly listed domains / URLs are in the scope of the Vulnerability Disclosure Policy. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.
By participating in this program, security researchers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the test and to delete any local copies afterwards and not to distribute them further.
Please note: This is a Vulnerability Disclosure Program, no bug bounties are paid out.
Hacking Methods
In participating in the program, security researchers agree not to use methods that would adversely affect the tested applications or their users. These include:
- Social engineering
- Spamming
- Phishing
- Denial-of-service attacks or other brute force attacks
- Physical attacks
In addition to the prohibited hacking methods listed above, security researchers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.
Physical Part
Parts of placeB's service are a physical product.
If security researchers notice that a door has been opened, they are required to report it immediately. To minimize possible damage, only these API endpoints are allowed for the doors:
open-doors
- https://api.placeb.ch/api/v1/reservations/7449/open-doors/2502
- https://api.placeb.ch/api/v1/reservations/7449/open-doors/2499
open-box
- https://api.placeb.ch/api/v1/reservations/7450/open-box
- https://api.placeb.ch/api/v1/reservations/7450/open-box
All other endpoints may be tested regardless of the Id.
User Agent
If your run tests append vdp-placeb-ag-nQXAJAvc to the User-Agent
Creating users, booking a storage room and contact form
Security researchers are allowed to create new users for testing.
- If you create a new user, book a storage room (a.k.a. box) or use the contact form please use Firstname "Bug" and Lastname "Hunter".
- If you book a self storage room please use location Winterthur, Hegmattenstrasse and category "A couple of boxes | 1m³".
- Important: Test bookings can be cancelled by placeB after 1 day without notification.
Qualified vulnerabilities
Any design or implementation problem can be reported that is reproducible and affects security.
Typical examples:
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE)
- Injection Flaws
- Information Leakage an Improper Error Handling
- Unauthorized access to properties or accounts
Other examples:
- Data/information leaks
- Possibility of data/information exfiltration
- Backdoors that can be actively exploited
- Potential for unauthorized system use
- Misconfigurations
Non-qualified vulnerabilities
The following vulnerabilities and forms of documentation are generally not wanted:
- Attacks that require physical access to a user's device or network
- The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
- Social engineering targeting individuals or entities of the organisation
- Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
- Bots, spam, bulk registration
Scope
Not in scope: All (sub) domains and services that are not explicitly listed, are not in scope
In scope::
- www.placeb.ch
Website with booking, checkout and payment process. Friendly hackers are allowed to create new users or book a storage room for testing (in compliance with the rules of section "Rules - Creating users and booking a storage room")
- api.placeb.ch
Backend server (in compliance with the rules of section "Rules - Physical Part")
- socket.prod.placeB.ch
IOT Gateway Server
- Android App
Android App to manage bookings, account and accessing the storage room. Google Play Store
- iOS App
iOS App to manage bookings, account and accessing the storage room. App Store
Rechtliches
placeB AG gives their approval for security researchers to use hacking methods based on the specified briefing. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the security researchers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.