Bitrix24

• Be an ethical hacker and respect the privacy of other users.
• Try to avoid privacy violations, data destruction, and interruption or degradation of our services.
• If you are researching web resources and APIs, be sure to specify in the HTTP User-Agent header X-BugBounty with the value <your_username>, this will help avoid potential blocking of anomalous activity.
• If you are researching the Bitrix24 Portal, when registering a test account, use the word "Standoff" in the "Last Name" field, this will help avoid potential account blocking.
• Automated scanning tools must be limited to 30 requests per second to a single target node, combining all tools and threads running in parallel.
• Before starting research, familiarize yourself with the rules specified in this program.
• If you discover multiple security issues while researching the Bitrix24 Portal, prepare separate reports for each identified vulnerability.

• Critical: up to 150,000
• High: up to 70,000
• Medium: 40,000
• Low: 10,000
• None: 0

Bitrix24 Portal - bitrix24.ru, including <unique_domain>.bitrix24.ru, which can be registered at https://auth2.bitrix24.net/create/

All other resources, including tools used by Bitrix24, are outside the scope of the program and will be closed as "Out of Scope."

• Security scanner reports and other automated tool outputs.
• Information about IP addresses, DNS records, and open ports.
• Issues and vulnerabilities based on the version of a product used without demonstration of their exploitation.
• Vulnerabilities, that could be exploited but are getting blocked by security tools without demonstration of bypassing security measures (e.g., WAF).
• Reports about insecure SSL and TLS ciphers without demonstration of their exploitation.
• Vulnerabilities that were previously reported by other competition participants (duplicate reports).
• 0-day and 1-day vulnerabilities that became publicly known less than 30 days ago, and vulnerabilities with CVSS above 8 that became known less than 14 days ago.
• Self-XSS and other vulnerabilities that do not directly affect users or application data.
• Vulnerabilities requiring browser versions released 6 or more months before report submission (or support discontinued).
• CORS configuration errors without demonstration of their exploitation.
• Disclosure of information about the existence of a given username, email, or phone number in the system.
• Disclosure of technical or non-sensitive information (e.g., product version or software used, stacktrace).
• Rate-Limit.
• Tabnabbing.
• Clickjacking.
• CSP-related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline.
• Attacks requiring full access to a local account or browser profile.
• Disclosure of sensitive user information through external resources not controlled by Bitrix24, such as data from spyware.
• Vulnerabilities requiring execution of a complex or unlikely user interaction scenario.
• Lack of DNS and mail service configuration best practices (DKIM/DMARC/SPF/TXT).
• Broken links to social media pages or unclaimed social media links and similar pages.
• Ability to perform an action unavailable through the user interface without identified security risks.
• Ability to create user accounts without any restrictions.
• User enumeration.
• Disclosure of public user information.
• Lack of notifications about important user actions.
• Leakage of sensitive tokens (e.g., password reset token) to trusted third parties via secure connection (HTTPS).
• Reports related to Bitrix24 mobile application security.
• Issues not related to security (if you find non-security issues, submit them to technical support: https://helpdesk.bitrix24.ru/).
• Lack of protection mechanisms or best practices without demonstration of real impact on user or system security (such reports are accepted as informative), for example: absence of security HTTP headers (CSP, HSTS, etc.), cookie security flags (HttpOnly, Secure, etc.) or CSRF protection, SSL certificates.

Bitrix24 undertakes not to make unreasonable accusations against researchers related to participation in the program.

Public disclosure of vulnerability information is not permitted.

Researchers aged 14 to 18 may participate in the program only with written consent from parents or legal guardians.

Researchers are prohibited from:
• Accessing, modifying, or destroying another user's data without their consent, as well as disclosing any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to this information is prohibited and may be considered illegal.
• Affecting other users' accounts without their permission.
• Using discovered vulnerabilities for personal gain.
• Using vulnerability testing tools that automatically generate significant volumes of traffic and lead to resource exhaustion attacks.
• Conducting attacks that harm the integrity and availability of services (e.g., DoS attacks, brute-force attacks), attempting to exploit vulnerabilities aimed at resource exhaustion. Report the issue to the Bitrix24 security team, which will conduct the attack in a test environment.
• Conducting physical attacks on personnel, data centers, and company offices.
• Conducting attacks on Bitrix24 systems using social engineering techniques (phishing, vishing, etc.) and spam mailings to customers, partners, and employees.
• Researching server infrastructure where web applications are hosted.
• Disclosing information about vulnerabilities before their public disclosure by Bitrix24.

Testing of vulnerabilities that may lead to remote code execution must be performed in accordance with the rules outlined below.
During testing, any actions on the server are prohibited except:
• Executing commands ifconfig (ipconfig), hostname, whoami, id
• Reading the contents of files /etc/passwd and /proc/sys/kernel/hostname (drive:/boot.ini, drive:/install.ini)
• Creating an empty file in the current user's directory
If it is necessary to perform other actions, they must be coordinated in advance with the Companies security specialists.

Testing of vulnerabilities that may lead to SQL command injection must be performed in accordance with the rules outlined below.
During testing, any actions on the server are prohibited except:
• Obtaining data about the current database (SELECT database()), its version (SELECT @@version), current user (SELECT user(), SELECT system_user()), or host name (SELECT @@hostname)
• Obtaining the database schema (SELECT table_schema), list of tables in it (SELECT table_name), and column names in tables (SELECT column_name)
• Executing mathematical, conversion, or logical queries (including using SLEEP) without extracting data (except those listed above)
If it is necessary to perform other actions, they must be coordinated in advance with the Companies security specialists.

Testing of vulnerabilities that may lead to reading arbitrary files on the server or arbitrary file upload must be performed in accordance with the rules outlined below.
Prohibited actions when uploading files:
• Modification, deletion, and replacement of any files on the server (including system files), except those associated with your account or with a user account that has explicitly expressed consent;
• Uploading files that may cause denial of service (e.g., large files);
• Uploading malicious files (e.g., malware or spyware).
When obtaining the ability to read arbitrary files on the server, any actions are prohibited except reading such files as /etc/passwd and /proc/sys/kernel/hostname (drive:/boot.ini, drive:/install.ini). If it is necessary to perform other actions, they must be coordinated in advance with the Companies security specialists.