At Prezi, we believe in harnessing the power of the security researcher community to help keep our users safe. This program is us encouraging the responsible disclosure of security vulnerabilities. Please check our Security Hall of Fame for a list of those who already helped us.
The aim of the Prezi Bug Bounty program is to help us improve our security in the most efficient way. Due to this current focus, we have a list of domains which are in scope, you can help us most by testing those services for web application vulnerabilities.
Milan A Solanki@MilanSolanki19
Mohamed A. Baset@SymbianSyMoh
Gopinath - Madurai@kgopinath6
Last updated: 2017.02.03.
To join the program you should read this whole page, and only proceed if you are OK with everything.
If you disclose your findings responsibly, we will not bring any lawsuit against you or launch any investigation into you. The most important rules of responsible disclosure are:
- Never ever try to access somebody else’s account or prezis, please always use your own account(s) for testing!
- Don’t test for DoS issues, launch social engineering attacks, or spam us or our users!
- If you find something please provide us enough information to reconstruct the attack and give us enough time to respond to your report before you make it public!
There are some domains (listed below) that are more important to us right now. Please focus on these. If you responsibly disclose anything outside the scope and we make changes in our code base based on your submission, you will also be rewarded. However, this is done at our discretion, and please remember that the scope gives bug hunters legal protection.
The following domains (and every web service accessible on them) are the most important for us right now:
Please note that although the backends for our iPad and desktop applications are in scope, the applications themselves are not; therefore they are not eligible for any bounty. The same applies to any 3rd party services we use:
We really don’t have the right to allow you to hack those. Please resolve our subdomains before any testing to verify if they are not pointing to some external / 3rd party service.
What is the bounty?
The basic reward for eligible vulnerabilities for the first person to report one is 200 USD; however we will increase it at our discretion for distinctly creative or severe bugs. If you would like to, we would be happy to grant you an additional free Plus subscription for a year and add your name to our Security Hall of Fame.
Which vulnerability types are eligible for bounty?
Submissions of web vulnerabilities with a valid attack scenario, which demonstrate exploitability and have significant impact on our users can be eligible for a reward (e.g. XSS, Authentication bypass, SQL Injection, Remote code execution…). We reserve the right to decide if the submission should be rewarded with a bounty.
In general, the following would not meet the threshold required for severity:
- CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the logout function
- Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
- Missing “Secure” flags for any cookie
- Username / user id enumeration
- Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
- Phishing by navigating password tabs a.k.a "window.opener" (reason)
- Absence of rate limiting
- Denial of Service
- User password brute force attack
- "Leakage" of publicly available information (e.g.: server version info in response header)
The following table shows illustrative examples of estimated expectable bounties for different vulnerability types:
|Vulnerability type||Estimated bounty ($)|
|CSRF (prezi content change)||500|
|CSRF (language settings change)||200|
|Prezi account takeover (not password bruteforce/guessing)||1000|
|SQL injection on auth. table||1000|
|Remote code execution||1500|
I found something, how do I send you a report?
Just drop a mail to firstname.lastname@example.org [PGP] with enough information for us to reconstruct the attack. We’ll reach out to you once we have processed your mail. In case you have found multiple vulnerabilities, please send them in separate emails to help us keep track of them.
How do I know if I’m the first to report the vulnerability?
We believe in transparency, therefore every time we receive and start to process a vulnerability report we will create a private gist (gist.github.com) with the following details: timestamp of the incoming mail, vulnerability type, affected service / domain, researcher contact (if agreed to share).
Please note that by design these details will not be detailed enough to fully reproduce the attack.
The gists will only be shared with researchers who send us a previously reported vulnerability and they will be deleted one week after the fix for the issue is out.
How do I get the points?
We use a scoring system, which takes into account the bug's impact on the target host regarding confidentiality and integrity, the access level required by a successful exploit (see CVSS C,I,AC), and its' damage potential on our systems (globally). If an attack uses multiple vulnerabilities, we score them individually and sum the points up. Only the previously unknown bugs are scored.
In some cases - like when you chain multiple bugs together - bonus points are granted.
We constructed the scoring system to fit our past payouts, but there is no guarantee the future points and the actual payouts will equal. Also note, we might change the methodology later on. Future changes won't affect the points that were given previously.
Other legal notices
- General warning: please try not to be destructive, use automated tools with care.
- Please don’t make your findings public until we explicitly allow you to do so. We will try to do our best to be really quick. But after the fix is out and making the details public doesn't compromise our users safety, we absolutely encourage you to write a blog post or create a prezi about how you demonstrated that our system sucked!
- The program is not open for individuals on sanctions lists or individuals in countries on sanctions lists.
- You are responsible for any tax implications or additional restrictions depending on your country and local law.
- We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
- You must not violate any law. You also must not disrupt any service, or compromise anyone’s data.