logo.svg

Abacus Research

Report a vulnerability

Description

Abacus is an owner-managed Swiss software company. The company has been successfully developing business management ERP software for over 35 years - in the areas of finance, human resources, administration and sales, and production and services, among others. Abacus is now the largest and most successful independent Swiss provider of business software for SMEs. The primary goal of the software company is still to develop relevant solutions for its customers.

Rules

The organisation operates various services (platforms, services). But only services from explicitly listed domains / URLs are in the scope of the program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.

By participating in this program, security researchers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the test and to delete any local copies afterwards and not to distribute them further.

Hacking Methods

In participating in the program, security researchers agree not to use methods that would adversely affect the tested applications or their users. These include:

  • Social engineering
  • Spamming
  • Phishing
  • Denial-of-service attacks or other brute force attacks
  • Physical attacks

In addition to the prohibited hacking methods listed above, security researchers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.

Qualified vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE)
  • Injection Flaws
  • Information Leakage an Improper Error Handling
  • Unauthorized access to properties or accounts

Other examples:

  • Data/information leaks
  • Possibility of data/information exfiltration
  • Backdoors that can be actively exploited
  • Potential for unauthorized system use
  • Misconfigurations

Non-qualified vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

  • Attacks that require physical access to a user's device or network
  • Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
  • Self-XSS
  • The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
  • Reports from automated tools or scans without explanatory documentation
  • Social engineering targeting individuals or entities of the organisation
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Bots, spam, bulk registration
  • Reports of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
  • Use of vulnerable and "weak" cipher suites/ciphers
  • Missing Rate limiting without further security impact

Scopes

In scope

  • Abacus-ERP

    The abacus software can be launched via a client software or directly in the browser. Those are called different environments "Abacus-ERP" and "Abacus-ERP Browser Edition". The functionalities are segregated into smaller "programs" that can be started through the AbaMenu. All programs have a Letter + Number combination (e.g. A11, Q908, J6311 etc.) The Abacus ERP has a enormous amount of functionality with over 500 different "programs". To start the ULC Abacus program you need the client software "abaclient". It can be installed for free. https://downloads.abacus.ch/downloads/abaclient

    Launch URL - https://bug-bounty1-1.shop.abanet.io/

  • Abacus-ERP Browser Edition

    Abacus-ERP Browser Edition contains around 10% of all programs and does not need the abaclient software. It will be the future and is in active development. It is based on the same technology as the myAbacus Portal solution, Vaadin.

    Launch URL - https://bug-bounty1-1.shop.abanet.io/

  • MyAbacus Portal

    Server: https://bug-bounty1-1.shop.abanet.io:443
    Mandant: 9999

    The below outlines each portal contained within the MyAbacus Portal environment.

    HR Portal

    The HR portal is intended for employees of the company. Employees can manage their work time, expenses, personal data, holidays and a lot more.

    Multiple views all about the employee and their position in the company.
    • Worktime Management
    • Holiday
    • Personal Information
    • Company News
    • Recruitment
    • etc.

    Depending on the position of the employee, different views are visible. The HR Lead can see more details about other employees as the normal workforce.

    Finance Portal

    Allows employees access to the financial overview for the company. It hosts reports to look into the past or make budgets for the future.

    Multiple Views about the finances of the company.
    Only MyAbacus2 and MyAbacus3 have access.

    CRM Portal

    The CRM portal allows employees access to the addresses of customer or partners. Further is home of the Activity / Lead Management.

    Multiple views about Customer Relation Management.
    • Addresses
    • Activities
    • Leads
    • Company Calendar

    All employees have access to the addresses, activities and leads of the company.

    Portal SCM

    Multiple views about the infrastructure of the company and their order and service management. Service technicians can process fault and maintenance orders and view service object information. Multiple views can be seen by MyAbacus2 and MyAbacus3. Service Orders are already created and can be commented. There is a PDF Sketch Application where you can overlay Comments in a PDF File.

    ORDE Portal

    Allows users to create and manage quotations as well as sales orders. It also supports the further processing of these documents throughout the sales workflow.
    Multiple views about the order management of the company.

    Note: HTML injection reports are not eligible for bounty rewards. The ability to inject HTML is an intended feature of our web portals and is used to support dynamic content rendering. Reports solely based on HTML injection without demonstrating a security impact such as cross-site scripting (XSS), privilege escalation, or data leakage will not be considered valid under this program.

  • Abacus API

    Scope Insights (API)

    The following points outline technical areas of interest and potential vectors for investigation during the bug bounty program. Participants are encouraged to explore the topics below during their assessment:

    1. API Version Differences
    Two major API versions are in use: v1 and v2. Differences in responses, available filters, and data handling between these versions are of particular interest.

    2. OData Query Parameters
    OData parameters such as $filter, $expand, and $select are supported and may be entry points for injection-related vulnerabilities. Testing unexpected input patterns is encouraged.

    3. Resource Access and Authorization
    Access to specific resources is restricted based on user permissions. However, it is recommended to test whether API calls from other collections can improperly access protected resources.

    4. AbaReport Functionality
    The AbaReport feature allows report generation in XML, JSON, and TXT formats. Testing for possible manipulation of report contents, inclusion of unintended data, and abuse of the report generation process is encouraged.

    5. "Other Endpoints" Collection
    The REST APIs listed under the "Other Endpoints" collection are not part of the defined bug bounty scope. However, if these endpoints are accessible with the existing user roles, it may indicate gaps in authorization enforcement.

    6. OData Protocol Version
    The application is using OData v4.0, whereas the latest version is v4.1. Investigating the protocol differences may uncover exploitable limitations or legacy behavior in the older version.

    Odata API Abacus API on the OData 4.0 Specification, core datasets to allow customers and 3rd Parties to simply integrate into Abacus ERP.
    https://apihub.abacus.ch/odata
    C:H I:H A:H for this asset only

    Other API’s A collection of various API endpoints with different use cases from service health checks to full mandant provisioning. The Confidentiality, Integrity and Availability is vastly different from API to API because some are only used in hosting environments available in secure networks and not by customers. https://apihub.abacus.ch/endpoints/notodata

  • Not in Scope

    All (sub) domains and services that are not explicitly listed, are not in scope.

    Everything that is not mentioned under https://apihub.abacus.ch/rest, for example ODBC Interfaces or AbaConnect, are out of Scope.
    Further out of Scope, are all endpoints that are not starting with "/api/*", if not explicitly mentioned in the parts "Odata Endpoints" or "Other Endpoints"

    Any connected 3rd Party System to the myAbacus Portal.
    The following incomplete list of services are out of scope:
    • DeepBox
    • DeepMail
    • DeepV
    • DeepID
    • DeepSign
    • AbaSky

  • Source Code

    Source code is available at https://downloads.abacus.ch/downloads/servicepacks/version-2025

    Shared Space Warning This is a shared environment with a limited number of distinctive users. Please be aware to not interfere with other bug bounty hunters. Only delete or write data if needed.

    Important Note Where there is a finding on the MyAbacus scope and if this is also present on the BDO Implementation, it will be only rewarded by Abacus. Should the issue be on BDO's implementation and not Abacus's it will be awarded by BDO only. Should you submit the same finding on both programs one submission will be marked as informative and closed. If you have any questions please get in touch: [email protected]

Procedure

  1. Get invited to this private bug bounty program
  2. Read the program definitions (scope, rules, …)
  3. Start looking for vulnerabilities, respecting the definitions in this program (scope, rules, ...).
  4. Report found vulnerabilities and support the platform and the customer in verifying them.
  5. Get paid for confirmed, new vulnerabilities.

Legal

The organisation gives their approval for security researchers to use hacking methods based on the specified briefing. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the security researchers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.

Bounty Levels

SeverityBounty
CriticalCHF 2600-5000
HighCHF 1000-2600
MediumCHF 400-800
LowCHF 50-150