IntegraXor HMI/SCADA Bug Bounty Program
IntegraXor HMI/SCADA Bug Bounty Program
This Non-Monetary Bug Bounty Program is part of our effort to make IntegraXor SCADA more secure, safe & stable. Below are the rules for joining. Terms & conditions apply.
Considerations
- We only concern on the issue that will impact our customers’ installation of IGX SCADA system.
- You must download & setup your own testing environment, do not attempt to access any real time or demo system that wasn’t setup by you.
- You must provide a complete step to reproduce the bug or describe the PoC.
- For security vulnerability issue, we accept closed, responsible or collaborative disclosure, but zero day
or third partydisclosure is not qualified. - Major consideration is any vulnerability that affecting the integrity of data linked to external devices, particularly tag data.
- Only the first reporter for same issue will be considered. We will publish the first reported date in our Release Note or Vulnerability Report or in our website where we find appropriate that accessible by public, when the issue is being fixed later.
Exclusions
- Any issue related to our commercial websites is not included in this program. For instance, this blog, our forum or any php, database, services or content that run on this domain shall not be considered.
- We do not consider any issue affecting use of beta, release candidate, out-of-date IntegraXor server/editor, browsers and plugins. On the other hand, we *also* do not accept any issue that already fixed in beta/release candidate, although very likely those issues would have reported earlier.
- Any vulnerability found in external device communication protocol implementation that compliant to standard is excluded from this program as it’s beyond our control, unless you have the solution to patch the vulnerability of the said communication protocol in the standard compliant manner.
- Spam or DoS attack is not in consideration.
- We only concern in practical issues, non-fool proof issue like entering not useful string of “abc@xyz*com” into Project Editor’s certain field that could possibly crash/hang the program will not be qualified.
- Physical attack like pulling off certain cable that causes certain part of the program malfunction is excluded.
- We mainly concern on issues introduced by our own codes, not the libraries (dll/js) or plugin from other party. But we wish to responsible to our choice of usage, so reporting this type of bug will still get the credit.
- Our license key authorization hack is excluded, because our goal is to protect the customers’ safety & security.
I/O Point Reward Table
Issue \ System | IGX Backend | IGX Frontend | Project Editor | Inkscape /SAGE | Browser * | Plugin |
---|---|---|---|---|---|---|
Security Vulnerability | 8k | 8k | 1k | 128 | 128 | 0 |
Program Crash | 1k | 1k | 1k | 128 | 128 | 0 |
Program Hang | 1k | 1k | 1k | 128 | 128 | 0 |
* The concerned browsers are latest version of AS, FX, GC & IE that showing IGX SCADA content, not this commercial web domain.
Reward Points
- We do not pay out monetary reward but only pay off I/O point to use our software license. The reward point is valid for 10 years from the date that the issue is fixed. If you are not an IntegraXor SCADA user, then you are allowed to resell the reward point in our forum or anywhere else.
- The value of rewards worth from USD $149 to $3999 which is according to how our license being sold. And the amount will be awarded according to the severity that completely judge by our technical team.
- You may claim and use the reward point as it is without splitting/merging it or convert it to any other modules or combinations.
- To ensure you can fully utilize the reward, all reward point come free with 1 report module and 2 remote clients, not more and not less.
- When an issue involved several parts of the system, e.g. configuring something at Project Editor that causes problem at backend during runtime, then the reward points will be based on the highest reward from one of the system only.
- We will give you credit and provide back link to your website in our Release Note or Vulnerability Report when the issue is fixed, unless you choose not to.
- We reserve the right to amend the rules, T&C, increase/decrease the points, or terminate this program at any time without prior notice, especially when this program is being abused or could not yield any practical outcome.
Please contact us via support form, or you may obtain our email address from there.
2Comments
Note that we are implementing RSA Encryption for browser to server transaction. Please ignore the current vulnerability of plain text transmission.
We are very sorry to many security researchers out there who can’t enjoy the program immediately, as we are very much offering the program to our own users at this initial trial. The reason behind this is straightforward, we wish to start the program small. But it turns out attracts so many talk about among respectable security researchers. We wish to accept all critics humbly and will improve the program wherever appropriate and whenever possible. Thank you.