Socrata helps public sector organizations improve transparency, citizen service, and data-driven decision-making. Our user-friendly solutions deliver data to governments trying to reduce costs, to citizens who want to understand how their tax dollars are used, and to civic hackers dedicated to creating new apps and improving services.
We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users and makes the Web a safer place for all.
Because our platform is built for data sharing it is worthwhile for researchers to familiarize themselves with the account permission models in place and especially with our Socrata Query Language (SoQL).
- Access Control Vulnerabilities
- Public or anonymous user access to non-public resources (i.e. Private drafts)
- Roled user access to restricted-role resources (i.e. accessing Private drafts not shared with that user)
- Confidentiality Impact (private data access or leakage)
- Server-side Remote Code Execution (RCE)
- SQL Injection (SQLi) - Note: Please see notes on SQL vs. SoQL below before reporting SQLi
- Path/Directory Traversal Issues
- We strictly prohibit usage of Automated scanners - we have our own DAST :)
- All testing should be limited to 0700-1800 PDT (GMT -7) - this helps our on-call staff stay sane :)
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
- Perform research only within the scope set out below
- Use the identified communication channels to report vulnerability information to us
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Socrata
If you follow these guidelines when reporting an issue to us we commit to:
- Not institute a civil legal action against you and not support a criminal investigation
- Work with you to understand and resolve the issue quickly (confirming the report within one week of submission)
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue
- Thank you for participating and happy hunting!
|Technical severity||Reward range|
|p1 Critical||$2,100 - $2,500|
|p2 Severe||$1,000 - $1,250|
|p3 Moderate||$450 - $600|
|p4 Low||$150 - $200|
We prohibit the use of automated scanners and aggressive scripts
All testing should be limited to 0700-1800 PDT (GMT -7)
If you suspect a Denial-of-Service or memory starvation attack is possible, report it but do not attempt the attack.
If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate that finding.
Write it up and we'll try it in our next scheduled maintenance window. These specific finding types may take additional time for reproduction and testing; we appreciate your patience and understanding for any highly sensitive findings.
To be eligible for a reward, your submission must include clear reproduction steps and provide details around exploitability and impact. Including screenshots or providing a video is helpful as well.
Out of scope
- Any customer sites hosted on the Socrata platform are explicitly off-limits.
- Any services hosted by 3rd party providers and services are excluded from scope.
These services include:
- Third-party add-ons
Before you begin, please read and understand the Standard Disclosure Terms.
Getting Started - General Usage
Create a primary account at: https://opensecurity.demo.socrata.com/
- Please use the following format: firstname.lastname@example.org
- Example: email@example.com
- This will forward email to your registered Bugcrowd email address
- Display name = Bugcrowd (unique name)
- Example = Bugcrowd Jane
- Create a secondary account to test account and data integrity
Please use the following format: email: firstname.lastname@example.org
- Example: email@example.com
- Display name = Bugcrowd (unique name)
- Example = Bugcrowd Jane02
If you are able to compromise any datasets or accounts to the point where you would be able to modify the data DO NOT DO SO. Let us know and we'll create a test dataset for you try to the changes on.
UI Usage: https://support.socrata.com/hc/en-us
Getting Started - API Testing
Documentation can be found at: https://dev.socrata.com/
In the interest of the safety of our users, staff, the Internet at large and you as the security researcher, the following test types are excluded from scope and not eligible for a reward:
Things we do not want to see:
- Personally identifiable information of users (PII) that you may have found during your research
- Output from a commercial or commonly available scanning tool. We know.
- Seriously, don't try to brute-force other user accounts.
- Bug reports coming through any channels other than Bugcrowd. Do not file support tickets at support.socrata.com or e-mail our support staff. Please use the Bugcrowd portal.
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Targets’ section
- Brute-forcing the credentials of other users.
- Functional, UI and UX bugs and spelling mistakes
- Network and Application level Denial of Service (DoS/DDoS) vulnerabilities
The following finding types are specifically excluded from the bounty:-
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- Username / email enumeration.
- Missing HTTP security headers, specifically e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
- Cache-Control and Pragma
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack.
- SSL Forward secrecy not enabled.
- SSL weak/insecure cipher suites.
- No Load testing (DoS/DDoS etc) is allowed.
- This includes application DoS as well as network DoS.
- Vulnerabilities that are limited to unsupported browsers will not be accepted.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
- The ability to upload/download viruses or malicious files to the platform.
- Email bombing/Flooding/rate limiting