We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at InVision. Every day new security issues and attack vectors are created. InVision strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
NOTE: We update the application regularly, so please check back for new functionality soon!
Subject to change
This target is publicly accessible from the internet.
Users can create their own accounts at will, and will default to the free plan.
The boards and prototypes section have been heavily tested, so we would like to focus on the more obscure parts of the application. We also have some areas that change subdomains not listed as a Target, but those are in scope (ie, integration.invisionapp.com).
While we are focused on the security of our application, we must have some items that are not in scope.
- 0-day vulnerabilities that are less than 30 days old
- Once 0-days are announced we need time to research if we are vulnerable, and patch our environment from development to production if necessary
- Any subdomain listed below (subject to change):
NOTE: Network Level DDoS/DoS attacks are forbidden. Application volumetric DDoS/DoS attacks are forbidden, if you find a request that takes too long to answer report it, please do not try to DoS the service.
The following finding types are specifically excluded from the bounty:
- IDOR references for objects that you have permission to
- Duplicate submissions that are being remediated
- Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
- Rate limiting
- LiveShare termination
- Sessions not expiring after email change
- Session Timeout (this is available in our Enterprise product, which we are working to get a testing environment set up for you)
- Email bombs
- Unsubscribing from marketing emails
- File uploads
- Some of our clients need to be able to upload Retina images, which can be GB in size
- No file uploaded to the system is actually executable
- Patches released within the last 90 days
- Networking issues or industry standards outside of InVision's control
- Password complexity
- SPF or DMARC records
- Gmail "+" and "." acceptance
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Weak CSRF in the APIs
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- Lack of Security Speedbump when leaving the site
- Lack of Captcha
- Forgot Password page brute force and account lockout not enforced
- Open redirect
- OPTIONS HTTP method enabled
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.