Socrata helps public sector organizations improve transparency, citizen service, and data-driven decision-making. Our user-friendly solutions deliver data to governments trying to reduce costs, to citizens who want to understand how their tax dollars are used, and to civic hackers dedicated to creating new apps and improving services.
We take the security of our systems seriously, and we value the security researcher community. The disclosure of security vulnerabilities by security researchers helps us ensure the security and privacy of our users; and makes the Web a safer place for all.
We require that all researchers:
- Limit the use of automated scanners and aggressive scripts ###- All testing should be limited to 0700-1800 PDT (GMT -7)
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Socrata until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us we commit to:
- Not institute a civil legal action against you and not support a criminal investigation;
- Work with you to understand and resolve the issue quickly (confirming the report within one week of submission);
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
Thank you for participating, it is your work that will help to keep us secure.
This bounty requires explicit permission to disclose the results of a submission.
Please note that this is a production environment
- Limit the use of automated scanners and aggressive scripts
- All testing should be limited to 0700-1800 PDT (GMT -7)
- If you suspect a Denial-of-Service or memory starvation attack is possible, DO NOT ATTEMPT THE ATTACK. Write it up and we'll try it in our next scheduled maintenance window.
Out of scope
Any customer sites hosted on the Socrata platform are explicitly off-limits.
- Any services hosted by 3rd party providers and services are excluded from scope. These services include:
- https://status.socrata.com (status.io)
- Apps hosted on the Socrata App Store (http://open-data-apps.socrata.com/) that were not developed by Socrata
- Third-party add-ons
Before you begin, please read and understand the Standard Disclosure Terms.
Create a primary account at: https://data.opendatanetwork.com/signup
- Please use the following format: email@example.com
- Example: firstname.lastname@example.org
- This will forward email to your registered Bugcrowd email address
- Display name = Bugcrowd (unique name)
- Example = Bugcrowd Jane
Create a secondary account to test account and data integrity
- - Please use the following format: email@example.com
- Example: firstname.lastname@example.org
- Display name = Bugcrowd (unique name)
- Example = Bugcrowd Jane02
If you are able to compromise any datasets or accounts to the point where you would be able to modify the data DO NOT DO SO. Let us know and we'll create a test dataset for you try to the changes on.
Documentation can be found at: http://dev.socrata.com/
In the interest of the safety of our users, staff, the Internet at large and you as the security researcher, the following test types are excluded from scope and not eligible for a reward:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Targets’ section
- Brute-forcing the credentials of other users.
- Functional, UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to see:
- Personally identifiable information of users (PII) that you may have found during your research
- Output from a commercial or commonly available scanning tool. We know.
- Seriously, don't try to brute-force other user accounts. Impersonation is fine.
- Bug reports coming through any channels other than Bugcrowd. Do not file support tickets at support.socrata.com or e-mail our support staff. Please use the Bugcrowd portal.
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- HTTPS Mixed Content Scripts
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
This bounty follows Bugcrowd’s standard disclosure terms.