Bug Bounty Program


Under Responsible Disclosure Terms, qualifying security vulnerabilities can be rewarded with a bounty of up to $100,000 US depending on our assessment of severity as calculated by likelihood and impact.

As a company of InfoSec experts, we know security is a team sport. Securing the world’s communications requires all resources available to us to ensure our code can withstand emerging threats. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting edge, eye-opening security revelations to date. The Wickr Bug Bounty is designed to encourage top-notch security researchers to help us identify and mitigate any potential issues in Wickr ecosystem. We pledge to drive constant improvement with the goal of keeping Wickr the most trusted messaging platform for our users.

REPORT A BUG

Calling all Hackers
Wickr’s Bug Bounty Begins

Originally published: Jan 15, 2014 | Last Update: October 12, 2017

Introduction

Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering a bounty for reporting critical security vulnerabilities that can substantially affect the confidentiality or integrity of user data.

If you believe you have found security vulnerability in the Wickr Apps, we encourage you to report it to our Bug Bounty Program. Before you report a vulnerability, please review the program rules, including a responsible disclosure policy, rewards guidelines and the scope of the program. By submitting a report within this program, you agree to be bound by these rules. We will investigate all qualifying reports and do our best to fix the reported issue as soon as possible.

Engaging Hackers

Wickr was founded on the belief that private communications is a universal human right that enables innovation and economic growth, and empowers democracy. As a security-focused company, we are committed to constantly improving our best-in-class encryption technology against sophisticated threats that our users face daily, protecting their business data and private personal communications. That is why, since its launch, Wickr has engaged world-class information security organizations to pen-test and verify Wickr’s code, security and policies.

Veracode, Aspect Security, ISEC Partners have reviewed and confirmed the security of the Wickr platform. At DEF CON 21, Wickr had the honor to be the target of a presentation conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that, while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that make efforts to help us ensure the security of the Wickr community.

Program Statement

Wickr Bug Bounty Program

The Wickr Bug Bounty Program is designed to encourage responsible security research focused on Wickr software. It is impossible to overstate the importance of the role the security research community plays in ensuring modern software remains secure. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their work speeds the pace of advancing security to the benefit of all. Through this program and partnerships with InfoSec organizations, we pledge to continuously improve the security and usability of our network, keeping Wickr the most trusted messaging platform in the world.

Terms and Conditions

Wickr will issue rewards in recognition of qualifying security vulnerabilities. A qualifying security vulnerability is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.

Kids Welcome

Any age is welcome to participate. Wickr Android was first beta tested with the r00tz kids at DEF CON.

* Submission Process

To submit a vulnerability, send a complete description of the issue to bugbounty@wickr.com. Please be prepared to provide additional clarifying information as well as tools, procedures and algorithms employed upon request. If you developed a novel approach to solve the issue, please include it with your submission.

Responsible Disclosure

We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security vulnerabilities submitted under this program cannot be disclosed or reported to any third party within six (6) months of the date of submission without our written permission.

Rewards

Qualifying security vulnerabilities can be rewarded with up to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are entirely at the discretion of Wickr’s Security Team, and all determinations are final. The payments are in US dollars, and the beneficiary is responsible for all applicable taxes, fees and tariffs in her/his country of residence. Team submissions must split the reward.

The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.

All prizes and their monetary value are established by Wickr Inc. and are paid after all the requirements have been met.

Prohibitions

The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.

Restrictions

To be eligible for the program, you must not:

  • Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • Be employed by Wickr, Inc. or its subsidiaries;
  • Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries.

Legal

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel or change the program at any time. The decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law.

Vulnerability Disclosure Policy

Wickr strives to build quality software that delivers on our security promises. In the event that security defects are found after our software is released, we will act in accordance with this policy to keep customers informed.

This policy describes how we disclose security-related defects in Wickr software. To report a security defect, please inform us via email at bugbounty@wickr.com.

Program Highlights
Wickr has implemented development and testing processes and programs aimed at preventing, detecting and eliminating security-related defects over the entire software lifecycle. Key elements of our minimization strategy include:

  • Developer training
  • Secure coding guidelines
  • Security peer review process
  • Security test automation
  • Static and dynamic analysis
  • Third party security testing
  • Public and private bug bounty programs

Priorities
In deciding when to disclose an issue, to whom, and how much detail to provide, we balance two important priorities: customer security and transparency. Our goal for issue disclosure is to be as open and informative as possible without increasing risk to customers.

Policy
We will disclose Wickr software security defects that represent Critical, High or Medium risks. Issue severity will be represented using the Common Vulnerability Scoring System version 3.0 (CVSSv3) but may deviate from CVSS if factors not captured in the score exist.

Advisories will not include proof-of-concept code, details, attack steps or methodology that could be used to exploit the issue.

Advisories for all of our products will be published below.

We will notify Wickr Enterprise customers directly if the issue impacts Wickr Enterprise. If public disclosure of issues impacting Wickr Enterprise would be strictly informational for users of our other products, we may publish the advisory some time after the fix is deployed and/or available.


Advisory: Vulnerability in Wickr Pro Administration Console Could Allow Admins to Replace LDAP Settings for Other Networks

Published: May 1, 2018
Version: 1.0
Severity: Medium
CVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary:
By submitting a forged request to the Wickr Pro Administration Console, a Wickr network administrator could replace the LDAP sync settings for other networks.

This issue was caused by a missing authorization check in the save settings console function to ensure that the settings were being saved to a network associated with the logged in user. It was exploitable only by authorized users of the console during a valid login session. It has been fixed in the currently deployed version of our product.

Recommendation: None. The issue is fixed in the currently deployed version of the product.

Affected Products: Wickr Pro Administration Console versions prior to 2.10.17.

Impact: If exploited, a network’s LDAP sync settings would be overwritten by new values, which in the worst case would remove legitimate users from the network and render them unable to use the application. Any users synced from the new directory server would represent a theft of service risk if the attack went undetected for any length of time.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.10.17.


Advisory: Vulnerability in Wickr Pro Administration Console Could Allow Admins to Temporarily Disable or Re-enable Devices in Other Networks

Published: May 1, 2018
Version: 1.0
Severity: Medium (Wickr Pro)
CVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Severity: Low (Wickr Enterprise)
CVSS: 3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

Summary:
By submitting a forged request to the Wickr Pro or Wickr Enterprise Administration Console, a Wickr network administrator could temporarily disable, re-enable, or view status-related metadata associated with a device belonging to a user in another network.

This issue was caused by a missing authorization check to ensure that the administrator was allowed to act on the target user. It was exploitable only by authorized users of the console during a valid login session and could only be used against a previously identified, known user. It has been fixed in the currently deployed and available versions of our products.

Recommendation:
Wickr Enterprise customers should upgrade their Administration Console to version 2.10.19 or later. This issue has been fixed in currently deployed versions of Wickr Pro and no user action is necessary.

Affected Products:
Wickr Pro and Wickr Enterprise Administration Console versions prior to 2.10.19.

Impact: If exploited, this issue could have allowed a malicious administrator to temporarily disable, re-enable, or view status-related metadata of devices belonging to a previously identified, known user in another network. Worst case impact is believed to be temporary denial of service to a user’s device(s), effective until a user detects the condition and an administrator re-enables the device. Likelihood of exploitation is considered to be low with very little to gain from an attacker’s perspective. Likelihood of exploitation in Wickr Enterprise is considered to be very low because Enterprise networks are not multi-tenant.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.10.19.


Advisory: Add Administrator-Related XSS Vulnerabilities in Wickr Pro Administration Console

Published: April 18, 2018
Version: 1.0
Severity: Medium (Wickr Pro)
CVSS: 3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Severity: Low (Wickr Enterprise)
CVSS: 3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Summary:
By submitting a forged request to the Wickr Pro or Wickr Enterprise Administration Console, a Wickr network administrator could store malicious Javascript code in place of certain network properties and execute what is commonly referred to as a stored cross site scripting attack against another administrator for their network. The flaw was discovered in areas of the console related to the display of network properties that would likely be exploited by adding new administrators to previously tainted networks.

This issue was caused by missing input validation and output encoding in the affected areas. It was exploitable only by authorized users of the console during a valid login session and could only be used against other authenticated users in the same network. It has been fixed in the currently deployed and available versions of our products.

Recommendation:
Wickr Enterprise customers should upgrade their messaging backend to version 2.11.3 or later. This issue has been fixed in currently deployed versions of Wickr Pro and no user action is necessary.

Affected Products: Wickr Pro and Wickr Enterprise Administration Console versions prior to 2.11.3.

Impact: Likelihood of exploitation in Wickr Pro is considered to be low because the most likely case depends on the victim being guided to interact with a tainted network based on a suspicious email from an attacker email address. Likelihood of exploitation in Wickr Enterprise is considered to be very low because Enterprise networks are not multi-tenant.

Source: These issues were privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.11.3.


Advisory: Use of Third-Party Component in Wickr Pro Administration Console Could Have Lead To DOM-Based XSS

Published: April 18, 2018
Version: 1.0
Severity: Medium
CVSS: 3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Summary: If tricked into accessing the Wickr Pro Administration Console via a malicious link, users could have been impacted by a DOM-based XSS vulnerability. This issue was caused by an error in the way that Google Tag Manager, a third-party Javascript library used for new network on-boarding analytics, was integrated with the site. It has been fixed in the currently deployed version of our product.

Recommendation: None. The issue is fixed in the currently deployed version of the product.

Affected Products: Wickr Pro Administration Console versions prior to 2.11.0.

Impact: If exploited, worst case impacts include loading malware and stealing login credentials. Likelihood of exploitation is considered to be low since the victim would need to access the console via a link sent in a suspicious email or other unsolicited message.

Source: These issues were privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.11.0.


Advisory: Vulnerability in Wickr Pro Administration Console Could Allow Admins to View Billing Information For Other Networks

Published: April 10, 2018
Version: 1.0
Severity: Medium
CVSS: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:H/IR:M/AR:L/MAV:N

Summary: By submitting a forged request to the Wickr Pro Administration Console, a Wickr network administrator could download a billing statement associated with another network.

This issue was caused by a missing authorization check in the download statement console function to ensure that the requested statement/invoice belonged to the logged in user. It was exploitable only by authorized users of the console during a valid login session. It has been fixed in the currently deployed version of our product.

Recommendation: None. The issue is fixed in the currently deployed version of the product.

Affected Products: Wickr Pro Administration Console versions prior to 2.9.27

Impact: If exploited, this issue could have exposed limited Wickr customer billing information to include the following data fields.

  1. The ’Bill To’ name and address on the invoice.
  2. The amount of the invoice.

Financial account information such as credit card numbers, expiration dates, etc. was not at risk as this information does not appear on downloaded statements.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.9.27.


Advisory: SQL injection flaw in Wickr messaging backend

Published: April 10, 2018
Version: 1.0
Severity: High
CVSS: Base 8.6 (High) | Temporal 7.5 (High) | Environmental 6.5 (Medium) Vector String CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:L/MA:H

Summary: By submitting a forged request to a Wickr Pro, Wickr Enterprise or Wickr Me messaging server, an attacker could execute arbitrary queries on the application database and access data in excess of their authority.

This issue was caused by insufficient validation of user-entered input in a messaging-related API function. It has been fixed in the currently deployed and available versions of our products.

Recommendation: Wickr Enterprise customers should upgrade their messaging backend to version 2.10.17d or later. This issue has been fixed in currently deployed versions of Wickr Pro and Wickr Me and no user action is necessary.

Affected Products: Wickr Pro, Wickr Enterprise, Wickr Me messaging server versions prior to 2.10.17d.

Impact: By exploiting this vulnerability, a skilled attacker could potentially access, alter or destroy information in the Wickr application database. Wickr’s security architecture is largely assumptive of back end server compromise, so critical data in the database related to message security is either private and stored encrypted (i.e, requiring significant brute forcing to access) or public and protected via client-side integrity checking. More practical attacks to exploit this issue would likely focus on recovery of metadata (e.g., Pro/Enterprise usernames, network names, logs) and/or denial of service (e.g., data deletion). These factors are captured in CVSS Environmental metrics indicated above. See the White Paper “The Untrusted Server” here.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro, Wickr Enterprise and Wickr Me messaging backend version 2.10.17d.