Become a partner   | Request Support  | Contact Sales

Bugs Program
CoreTech Bug Bounty Program

Our Bug Bounty program is temporarily closed. We will reopen it in the near future.


CoreTech working hard on security to keep service safe as possible but we know that some bugs are not discovered yet.
If you believe you've found a security issue in the services listed in our scope (TARGET), we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.

CoreTech may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.
CoreTech keeps the right to decide if the minimum severity threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of CoreTech. To qualify for a reward under this program, you should
If the reported vulnerability, after an evaluation by the CoreTech staff, is not among the paid ones, a score that can be viewed in the hall of fame will be assigned. Upon reaching 50 CoreTech points it will allow you to redeem an economic prize worth 50 euros.
If you wish to report a vulnerability or if the vulnerability you discovered is not included among those specified in the Bug Bounty program, please let us know. We will carefully consider including it on the program specifications page.

Reward Payment

We pay by:

  • Bank Transfer

Qualifying Vulnerabilities

Type Description Risk level
File Injection
  • Insertion of the vulnerable file without then the possibility of reaching it
  • The inserted file can be reached from the outside
  • The inserted file is externally executable
  • Inserted file allows various exclation
  • Inserted file allows you to insert remote consoles and / or modify the site
  • 4
  • 5
  • 8
  • 9
  • 10
Broken Authentication
  • Reach single user user data
  • Reach sensitive data of the single user
  • Modification / deletion of single user data
  • Access to credit cards or information that can harm the user
  • Reach user data all users
  • Reach sensitive user data all users
  • Change / delete all user data
  • Access to credit cards or information that can harm all users
  • 6
  • 7
  • 7
  • 8
  • 7
  • 8
  • 8
  • 10
Sensitive data Exposure
  • Access to all application code
  • Partial access to the application code
  • Access to confidential data of other users
  • Access to confidential data of a chosen user
  • Access to system logs
  • Access to user logs
  • Access to the logs of the chosen user
  • Various configuration
  • SQL errors
  • SQL errors with important data visualization
  • Backend language errors
  • Backend language errors with data visualization
  • Inactive or potential vulnerabilities
  • 7
  • 5
  • 6
  • 7
  • 6
  • 6
  • 6
  • 3
  • 3
  • 5
  • 2
  • 4
  • 1
Vulnerable and Outdated Components
  • Inactive or potential vulnerabilities
  • Vulnerabilities verified in the application
  • 1
  • 5
Command Injection
  • Ability to arbitrarily launch all commands
  • Possibility to launch only some malicious commands
  • Possibility to access all the functions of the machine
  • Blind Command Injection: Only test commands such as sleep or ping
  • 9
  • 8
  • 10
  • 4
SQL Injection
  • Blind SQL Injection
  • Generating the SQL error
  • Possibility of escalation and access to the database
  • Ability to delete data
  • Ability to view data
  • Ability to view sensitive data
  • Possibility to modify the data
  • 4
  • 4
  • 10
  • 7
  • 7
  • 8
  • 7
Cryptographic Failures
  • Only a decrypted data (sent to the client)
  • All data decrypted (sent to client)
  • Sensitive database data decryption
  • Display of data that should be encrypted
  • Method to decrypt all data using the app
  • 5
  • 6
  • 6
  • 4
  • 6
Broken Access Control
  • Ability to get all users' passwords
  • Bypassing the password or username
  • Login configuration error
  • Possibility of obtaining the password of a limited group of users
  • Via single-user SQL Injection
  • Through a single-user design error
  • 9
  • 8
  • 8
  • 8
  • 6
  • 7
XSS and Other
  • Blind XSS
  • XSS with session theft
  • XSS with GUI modification
  • XSS with addition of texts in formats in line with the site
  • XSS with sensitive data theft
  • XSS slowdowns for the user
  • XSS with slowdowns for the systemds
  • Stored Blind XSS
  • Stored XSS with session theft
  • Stored XSS with GUI modification
  • Stored XSS with compelling text added in the gui
  • Stored XSS with sensitive data theft
  • Stored XSS slowdowns for the user
  • Stored XSS with slowdowns for the system
  • Stored Open Redirect
  • Open Redirect via link
  • 3
  • 7
  • 3
  • 4
  • 6
  • 5
  • 5
  • 4
  • 8
  • 4
  • 5
  • 7
  • 6
  • 6
  • 6
  • 5
Access to Systems
  • Read access
  • Write access
  • Possibility to encrypt
  • 8
  • 10
  • 10
Session Hijacking
  • Single user
  • Multiple users
  • Targeted user
  • By theft
  • Through prevention
  • 6
  • 8
  • 7
  • 7
  • 8

Eligibility and Responsible Disclosure

We are happy to work with everyone who submits valid reports which help us improve our security.
However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You need to be the first person to report an unknown issue.
  • Any vulnerability found must be reported no later than 24 hours after discovery.
  • You are not allowed to disclose details about the vulnerability anywhere else.
  • You must avoid tests that could cause degradation or interruption of our service.
  • You must not leak, manipulate, or destroy any user data.
  • You are only allowed to test against accounts you own yourself.
  • The use of automated tools or scripted testing is not allowed.
  • You must not be a former or current CoreTech employee.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report exclusively to CoreTech


We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us periodically. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the CoreTech brand, will result in immediate disqualification from the program.


Security analyzes that include inefficiencies such as:

  • System slowdowns or freezes
  • Repeated sending of emails (More than 5 emails)
  • Actual damages to users or employees

They will not be eligible for cash rewards.

Scopes


Out of scope security bugs are currently not eligible for monetary rewards and will be handled as a responsible disclosure.

How to communicate the vulnerability

To report a valid vulnerability we kindly ask you to:

  • Use the appropriate form: https://www.coretech.it/en/service/chi_siamo/contatti.php. Select as contact reason "Participate in Bug Bounty".
  • Brief description of the vulnerability found and any damage and risks associated with it.
  • Demonstration video of how the vulnerability is executed and what possible damage it can cause.

*If the form does not appear to be working, we ask you to send us an email with the subject "Bug Bounty (Contact us!)" to the email address developer@coretech.it. Reports with a different subject or email may be marked as spam by our systems

*The video Demostration must include detailed instructions on how to exploit the vulnerability to attack the victim. This document must be formulated in a clear and reproducible way so that our team responsible for analyzing reports can evaluate it accurately. It should be noted that vulnerabilities that can only be exploited in a local environment of the attacker or require physical access to the victim's machine will not be taken into consideration for the purposes of remuneration.


Every 3 weeks we view new vulnerability reports. Please note that the reminder request on the same vulnerability can only be made 3 weeks after the first report. Reminders received before this period will be considered as spam and, in some cases, could influence the allocation of economic rewards.

Legend


Sensitive data

By "sensitive data" we mean any non-public data.

Critical access

By "critical access" we mean access to servers or services with admin permissions

major damage to society

By "major damage to society" we mean significant damage in terms of turnover or loss of data importanti in maniera irreversibile

language errors

By "language errors" we mean the display of errors from MySQL or other languages

Inactive or potential vulnerabilities

By "Inactive or potential vulnerabilities" we mean all those vulnerabilities that do not lead to concrete damage but in some cases could lead to damage. For example an XXS that prints "1" but fails to do anything but print "1"


Hall of Fame

Nickname Reports Point
m0m0x01d 3 /
jsafe 1 /
Ninebrainer 1 /
Yogesh 1 /
jayalakshmi 3 /
Sohit Kumar Mahato 33 1345
BrainStorm (aka Davide Bonsangue) / /
HARDIK (Linkedin) 1 25
mak (Linkedin) 1 20
57hakur (Twitter) 1 5
Himanshu Sondhi 1 25
Hasibul Hasan Shawon (Twitter) 2 100
Mohammed Simo Latifi (Linkedin) 1 150
Estin Fripal 1 150