We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at InVision. Every day new security issues and attack vectors are created. InVision strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
NOTE: We update the application regularly, so please check back for new functionality soon!
Out of scope
Please note that the scope is subject to change
If adding screenshots (images) and/or screen recordings (video) to support the submission, please attach directly to the submission. Do not use third party sites to host them.
Any domain/property of InVisionApp or Muzli not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
8.16.18 Update: All testing must be performed using your @Bugcrowdninja.com email address. All others are subject being blocked from the targets completely.
Targets - No Account Needed
The boards and prototypes section have been heavily tested, so we would like to focus on the more obscure parts of the application. We also have some areas that change subdomains not listed as a Target, but those are in scope (ie, integration.invisionapp.com).
While we are focused on the security of our application, we must have some items that are not in scope.
- 0-day vulnerabilities that are less than 30 days old
- Once 0-days are announced we need time to research if we are vulnerable, and patch our environment from development to production if necessary
- Any content / information hosted or managed by a 3rd party (e.g. zendesk, etc.)
- Any subdomain listed below (subject to change):
NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.
The following finding types are specifically excluded from the bounty:
- IDOR references for objects that you have permission to
- Duplicate submissions that are being remediated
- Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
- Rate limiting
- LiveShare termination
- Lack of Security Speedbump when leaving the site
- Open redirect
- Clickjacking and issues only exploitable through clickjacking
- File uploads
- Some of our clients need to be able to upload Retina images, which can be GB in size
- No file uploaded to the system is actually executable
- Patches released within the last 30 days
- Networking issues or industry standards outside of InVision's control
- Password complexity
- SPF or DMARC records
- Gmail "+" and "." acceptance
- Email bombs
- Unsubscribing from marketing emails
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Cacheable SSL pages
- CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Weak CSRF in the APIs
- Forgot Password page brute force and account lockout not enforced
- Lack of Captcha
- Sessions not expiring after email change
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Session Timeout (available in our Enterprise product)
Missing HTTP security headers or flags, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Secure/HTTPOnly flags on non-sensitive cookies
- Options flag is enabled
SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites