Prezi

Prezi Bug Bounty - All you need to know

Last updated: 2013.12.05

At Prezi, we believe in harnessing the power of the security researcher community to help keep our users safe. This program is us encouraging the responsible disclosure of security vulnerabilities. Please check our Security Hall of Fame for a list of those who already helped us.

The aim of the Prezi Bug Bounty program is to help us improve our security in the most efficient way. Due to this current focus, we have a list of domains which are in scope, you can help us most by testing those services for web application vulnerabilities.

Responsible disclosure

To join the program you should log on with your prezi.com account (which you plan to use for testing), read this whole page, and if you are OK with everything click on the “I want to hack!” button down below. Yes, logging in this way lets us track you and what you do. We’d be stupid not to do this.

If you disclose your findings responsibly, we will not bring any lawsuit against you or launch any investigation into you. The most important rules of responsible disclosure are:

  • Never ever try to access somebody else’s account or prezis, please always use your own account(s) for testing!
  • Don’t test for DoS issues, launch social engineering attacks, or spam us or our users!
  • If you find something please provide us enough information to reconstruct the attack and give us enough time to respond to your report before you make it public!

Scope

There are some domains (listed below) that are more important to us right now. Please focus on these. If you responsibly disclose anything outside the scope and we make changes in our code base based on your submission, you will also be rewarded. However, this is done at our discretion, and please remember that the scope gives bug hunters legal protection.

The following domains (and every web service accessible on them) are the most important for us right now:

  • prezi.com
  • bin.prezi.com
  • conversionservice.prezi.com
  • log.prezi.com
  • hslogger-app.prezi.com
  • media.prezi.com
  • objectlibrary.prezi.com
  • search.prezi.com
  • themeservice.prezi.com

Please note that although the backends for our iPad and desktop applications are in scope, the applications themselves are not; therefore they are not eligible for any bounty. The same applies to any 3rd party services we use (e.g. blog.prezi.com, s3.amazonaws.com), we really don’t have the right to allow you to hack those.

What is the bounty?

The basic reward for eligible vulnerabilities for the first person to report one is 500 USD; however we will increase it at our discretion for distinctly creative or severe bugs. If you would like to, we would be happy to grant you an additional free PRO subscription for a year and add your name to our Security Hall of Fame.

Which vulnerability types are eligible for bounty?

Submissions of web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users can be eligible for a reward (e.g. XSS, Authentication bypass, SQL Injection, Remote code execution…). We reserve the right to decide if the submission should be rewarded with a bounty.

In general, the following would not meet the threshold required for severity:

  • CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the logout function
  • Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
  • Missing “Secure” flags for any cookie
  • Username / user id enumeration
  • Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers

If the issue you submitted does not reach the severity for a bounty, but we feel that it did in some way point out something useful for us, then we will be happy to send you some Prezi swag.

I found something, how do I send you a report?

Just drop a mail to security-bug-bounty@prezi.com [PGP] with enough information for us to reconstruct the attack. We’ll reach out to you once we have processed your mail. In case you have found multiple vulnerabilities, please send them in separate emails to help us keep track of them.

How do I know if I’m the first to report the vulnerability?

We believe in transparency, therefore every time we receive and start to process a vulnerability report we will create a private gist (gist.github.com) with the following details: timestamp of the incoming mail, vulnerability type, affected service / domain, researcher contact (if agreed to share).

Please note that by design these details will not be detailed enough to fully reproduce the attack.

The gists will only be shared with researchers who send us a previously reported vulnerability and they will be deleted one week after the fix for the issue is out.

Other legal notices

  • General warning: please try not to be destructive, use automated tools with care.
  • Please don’t make your findings public until we respond and fix it. We will try to do our best to be really quick. But after the fix is out, we absolutely encourage you to write a blog post or create a prezi about how you demonstrated that our system sucked!
  • The program is not open for individuals on sanctions lists or individuals in countries on sanctions lists.
  • You are responsible for any tax implications or additional restrictions depending on your country and local law.
  • We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
  • You must not violate any law. You also must not disrupt any service, or compromise anyone’s data.
 

This page is meant to register your account to allow us tracking your activity. Please log in, and come back again!