Socrata helps public sector organizations improve transparency, citizen service, and data-driven decision-making. Our user-friendly solutions deliver data to governments trying to reduce costs, to citizens who want to understand how their tax dollars are used, and to civic hackers dedicated to creating new apps and improving services.
We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users and makes the Web a safer place for all.
Because our platform is built for data sharing it is worthwhile for researchers to familiarize themselves with the account permission models in place and especially with our Socrata Query Language (SoQL).
- We strictly prohibit usage of Automated scanners - we have our own DAST :)
- All testing should be limited to 0700-1800 PDT (GMT -7) - this helps our on-call staff stay sane :)
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
- Perform research only within the scope set out below
- Use the identified communication channels to report vulnerability information to us
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Socrata
If you follow these guidelines when reporting an issue to us we commit to:
- Not institute a civil legal action against you and not support a criminal investigation
- Work with you to understand and resolve the issue quickly (confirming the report within one week of submission)
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue
- Thank you for participating and happy hunting!
To be eligible for a reward, your submission must include clear reproduction steps and provide details around exploitability and impact. Including screenshots or providing a video is helpful as well.
|Technical severity||Reward range|
|p1 Critical||$2,100 - $2,500|
|p2 Severe||$1,000 - $1,250|
|p3 Moderate||$450 - $600|
|p4 Low||$150 - $200|
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Socrata not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Socrata, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation
Note that leaked API keys and credential submissions are welcomed, however, we do not permit these to be tested by researchers prior to submission. Additionally, please do not submit credentials that appear to be related to unit testing or other early software development lifecycle stages as these typically do not carry any risk and will not be rewarded. Note that Socrata will have the final say on impact once they review any submitted API keys or credentials.
Getting Started - General Usage
Create a primary account at: https://opensecurity.demo.socrata.com/
Please use the following format: firstname.lastname@example.org
- Example: email@example.com
- This will forward email to your registered Bugcrowd email address
- Display name = Bugcrowd (unique name)
Example = Bugcrowd Jane
Create a secondary account [to test account and data integrity]
Please use the following format: email: firstname.lastname@example.org
- Example: email@example.com
- Display name = Bugcrowd (unique name)
- Example = Bugcrowd Jane02
If you are able to compromise any datasets or accounts to the point where you would be able to modify the data DO NOT DO SO. Let us know and we'll create a test dataset for you to try the changes on.
- Access Control Vulnerabilities
- Public or anonymous user access to non-public resources (i.e. Private drafts)
- Roled user access to restricted-role resources (i.e. accessing Private drafts not shared with that user)
- Confidentiality Impact (private data access or leakage)
- Server-side Remote Code Execution (RCE)
- SQL Injection (SQLi) - Note: Please see notes on SQL vs. SoQL below before reporting SQLi
- Path/Directory Traversal Issues
Out of scope
- Any customer sites hosted on the Socrata platform are explicitly off-limits.
- Any services hosted by 3rd party providers and services are excluded from scope. These services include:
- Third-party add-ons
The following finding types are specifically excluded from the bounty and are things we do not want to see:
- Personally identifiable information of users (PII) that you may have found during your research
- Output from a commercial or commonly available scanning tool. We know.
- Seriously, don't try to brute-force other user accounts.
- Bug reports coming through any channels other than Bugcrowd. Do not file support tickets at support.socrata.com or e-mail our support staff. Please use the Bugcrowd portal.
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Targets’ section
- Functional, UI and UX bugs and spelling mistakes
- Network and Application level Denial of Service (DoS/DDoS) vuln
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Content Spoofing.
- Login or Forgot Password page brute force and account lockout not enforced.
- Username / email enumeration.
- Missing HTTP security headers, e.g.
- Cache-Control and Pragma
- No Load testing (DoS/DDoS etc) is allowed.
- This includes application DoS as well as network DoS.
- Vulnerabilities that are limited to unsupported browsers will not be accepted.
- Missing or incorrect DMARC records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
- Email bombing/Flooding/rate limiting