Security bug bounty program
at Piwik PRO

Security is an important part of Piwik PRO’s DNA. That’s why we’re offering a bounty for security researchers who find and report directly to us any major vulnerability in our platform: Piwik PRO Analytics Suite.

Please note that this program only applies to our product, any bugs that are not related to our platform (e.g. those related to the piwik.pro website) fall outside the scope of our bug bounty program.

Program rules

To be eligible for a reward under this program:

  • Perform audit tests using our Core plan infrastructure – you can create a free account at: https://piwik.pro/core-plan/.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be qualified.
  • Do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by the vulnerability without explicit written authorization from Piwik PRO.
  • The reported vulnerability must be considered as new.
  • Attempts to detect vulnerabilities should not result in privacy violations, destruction of data, and interruption or degradation of our service.
  • All sensitive data gathered during an attack must be anonymised in a report, and secured and deleted after reporting.
  • Multiple vulnerabilities caused by one underlying issue will be treated as a single valid report.

Forbidden operations

Please refrain from:

  • Using automated tools for huge scans – tests performed for the purpose of security research can’t have a negative impact on our infrastructure and platform. This kind of test might be treated as a DOS attack and we may take actions to block this type of traffic and prevent the situation from recurring.
  • Sharing information about vulnerabilities with people unauthorized by Piwik PRO.
  • Performing actions that may negatively affect the Piwik PRO company or the platform (e.g. SPAM).
  • Any kind of physical attack on IT infrastructure and/or company personnel.
  • Social engineering – i.e. phishing, vishing, smishing on Piwik PRO staff and users.
  • Exfiltrating data – tests should be proceeded on the minimum amount of data necessary to confirm the vulnerability.
  • Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities.

Vulnerabilities out of scope

The following issues fall outside the scope of our bug bounty program:

  • Bugs that are not related to our platform, Piwik PRO Analytics Suite, on the Core plan infrastructure (for example, bugs related to the piwik.pro website)
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Cross-site scripting bugs requiring an unlikely amount of user interaction
  • Cross-site request forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions
  • Missing CAPTCHA
  • Password complexity or account recovery policies
  • HTTPS Mixed Content
  • Issues without clearly identified security impact
  • Missing best practices in CSP or HSTS
  • Invalid or missing SPF, DKIM, DMARC records
  • Weak SSL/TLS Cipher Suites
  • Sending vulnerability reports using automated tools without validation
  • Use of a known-vulnerable library without evidence of exploitability
  • Attacks requiring physical access to an unlocked user device
  • Reports of SPAM, phishing, or security best practices
  • Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Missing cookie flags on non-sensitive cookies
  • Users with superuser privileges posting arbitrary JavaScript (e.g. via the Tag Manager module)
  • Tabnabbing
  • Path disclosure

How to report?

Reach out to us at bounty_SPC@piwik_SPC.pro with a description of the steps needed to reproduce the issue.

Please provide a detailed summary of the vulnerability, including:

  • Type of issue
  • Date and time when the bug was detected
  • Product, version and configuration of software or asset containing the bug
  • Step-by-step instructions to reproduce the issue (proof of concept)
  • Impact of the issue
  • Suggested mitigation or remediation actions, as appropriate

Bounty payments

Rewards are based on bug severity levels. Below you can find examples of issues qualified for each type of severity level.

Critical: $3000
Example issues that qualify as critical:

  • Remote code execution
  • Privilege escalation
  • Customer data disclosure

High: $1000
Example issues that qualify as high:

  • SQL injection
  • CSRF
  • XSS without user interaction

Medium: $500
Example issue that qualifies as medium:

  • XSS with user interaction

Low: $250
Example issues that qualify as low:

  • Edge case performance issues which could be used for DoS
  • Mixed content warning
  • Debugging information

Bounties will be paid via PayPal. Severity may be calculated based on CVSS calculator (base score). More information can be found here.