Security bug bounty program
at Piwik PRO

Security is an important part of Piwik PRO’s DNA. That’s why we’re offering a bounty for security researchers who find and report directly to us any major vulnerability in our platform: Piwik PRO Analytics Suite.

Program rules

To be eligible for a reward under this program, you must meet the following conditions:

  • Perform audit tests using our Sandbox infrastructure – you can create a free account using the form below.
  • Do not test our production – Core plan environment on *.piwik.pro
  • Keep in mind that any bugs not related to the Piwik PRO Analytics Suite platform (such as those concerning the piwik.pro website) fall outside the scope of the bug bounty program.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be qualified. See detailed instructions on how to report a bug.
  • Do not publicly disclose any details of the vulnerability, an indicator of vulnerability, or the content of the information rendered available by the vulnerability without explicit written authorization from Piwik PRO.
  • Detect vulnerabilities in a way that doesn’t result in privacy violations, destruction of data, and interruption or degradation of our service.
  • Anonymize all sensitive data gathered during an attack. Ensure you secure and delete it after reporting.
  • The vulnerability you report must be new to us.
  • If you report multiple vulnerabilities caused by one underlying issue, we will treat it as a single valid report.

If any of the above requirements are not fulfilled – your report will be rejected.

Help us improve the security of Piwik PRO Analytics Suite by joining the bug bounty program

  • .piwiksandbox.com
  • This field is for validation purposes and should be left unchanged.

Forbidden operations

Please refrain from engaging in the following practices:

  • Using automated tools for huge scans – Tests performed for the purpose of security research can’t have a negative impact on our infrastructure and platform. This kind of test might be treated as a DOS attack, and we may take action to block this type of traffic and prevent the situation from recurring.
  • Sharing information about vulnerabilities with people not authorized by Piwik PRO.
  • Performing actions that may negatively affect the Piwik PRO company or the platform (for example, SPAM).
  • Any physical attack on IT infrastructure and/or company personnel.
  • Social engineering – such as phishing, fishing, or smishing on Piwik PRO staff and users.
  • Exfiltrating data – Tests should be performed on the minimum amount of data necessary to confirm the vulnerability.
  • Violating any applicable laws or agreements to discover vulnerabilities.

Vulnerabilities out of scope

The following issues fall outside the scope of our bug bounty program:

  • Bugs not related to our platform, Piwik PRO Analytics Suite, on the Core plan infrastructure (for example, bugs concerning the piwik.pro website).
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms.
  • Cross-site scripting bugs requiring an unlikely amount of user interaction.
  • Cross-site request forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Missing CAPTCHA.
  • Password complexity or account recovery policies.
  • HTTPS Mixed Content.
  • Issues without clearly identified security impact.
  • Missing best practices in CSP or HSTS.
  • Invalid or missing SPF, DKIM, or DMARC records.
  • Weak SSL/TLS Cipher Suites.
  • Sending vulnerability reports using automated tools without validation.
  • Use of a known-vulnerable library without evidence of exploitability.
  • Attacks requiring physical access to an unlocked user device.
  • Reports of SPAM, phishing, or security best practices.
  • Software version disclosure / banner identification issues / descriptive error messages or headers (such as stack traces, application or server errors).
  • Missing cookie flags on non-sensitive cookies.
  • Users with superuser privileges posting arbitrary JavaScript (for example, via the Tag Manager module).
  • Tabnabbing.
  • Path disclosure.
  • Vulnerabilities already known and reported by other security researchers.

How to report?

Contact us at bounty@piwik.pro with a description of the steps needed to reproduce the issue.

You are required to provide a detailed summary of the vulnerability, including the following pieces of information:

  • Date and time when the vulnerability was detected.
  • Vulnerability description.
  • Type of the identified vulnerability.
  • Affected URLs.
  • Risk breakdown:
    • Risk.
    • Difficulty to exploit.
    • CVSS3.0/3.1 base score (You can use the following calculator).
  • Steps to reproduce.
  • Video/Screenshots PoC.
  • References.

Bounty payments

Rewards are based on how severe the bug is. Below are examples of issues qualified for each type of severity level.

Critical: $3000
Example issues that qualify as critical:

  • Remote code execution
  • Privilege escalation between tenant environments
  • Customer data disclosure

High: $1000
Example issues that qualify as high:

  • SQL injection
  • CSRF
  • Privilege escalation between roles in the same tenant environment
  • XSS without user interaction

Medium: $500
Example issue that qualifies as medium:

  • XSS with user interaction

Low: $250
Example issues that qualify as low:

  • Edge case performance issues that could be used for DoS
  • Mixed content warning
  • Debugging information

Bounties will be paid via PayPal.

Miscellaneous

Piwik PRO reserves the right to cancel this program at any time.

The decision to grant a reward for a vulnerability report and the value of a reward (if any) is entirely within Piwik PRO’s discretion. If we decide to offer a reward for a vulnerability report, the value of the reward will usually be based on the impact and severity of the reported vulnerability.

Here is where you can find some useful information about our product: