We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at InVision. Every day new security issues and attack vectors are created. InVision strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

NOTE: We update the application regularly, so please check back for new functionality soon!

Targets

In scope

Please note that the scope is subject to change

Credentials

Users can create their own accounts at will, and will default to the free plan.

Focus Areas

The boards and prototypes section have been heavily tested, so we would like to focus on the more obscure parts of the application. We also have some areas that change subdomains not listed as a Target, but those are in scope (ie, integration.invisionapp.com).

Out-of-Scope

While we are focused on the security of our application, we must have some items that are not in scope.

  • 0-day vulnerabilities that are less than 30 days old
    • Once 0-days are announced we need time to research if we are vulnerable, and patch our environment from development to production if necessary
  • Any subdomain listed below (subject to change):
    • support.invisionapp.com
    • blog.invisionapp.com
    • adminblog.invisionapp.com
    • marketplace.invisionapp.com
    • postmark.invisionapp.com
    • www.invisionapp.com

NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.

The following finding types are specifically excluded from the bounty:

General

  • IDOR references for objects that you have permission to
  • Duplicate submissions that are being remediated
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Rate limiting
  • LiveShare termination
  • Lack of Security Speedbump when leaving the site
  • Open redirect
  • Clickjacking and issues only exploitable through clickjacking
  • File uploads
    • Some of our clients need to be able to upload Retina images, which can be GB in size
    • No file uploaded to the system is actually executable

System related

  • Patches released within the last 30 days
  • Networking issues or industry standards outside of InVision's control
  • Password complexity

Email related

  • SPF or DMARC records
  • Gmail "+" and "." acceptance
  • Email bombs
  • Unsubscribing from marketing emails

Information Leakage

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting / banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Cacheable SSL pages

CSRF

  • CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Weak CSRF in the APIs

Login/Session related

  • Forgot Password page brute force and account lockout not enforced
  • Lack of Captcha
  • Sessions not expiring after email change
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Session Timeout (this is available in our Enterprise product, which we are working to get a testing environment setup for testing)

Missing HTTP security headers or flags, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Secure/HTTPOnly flags on non-sensitive cookies
  • Options flag is enabled

SSL Issues, e.g.

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL weak / insecure cipher suites

Rules

This program follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.