Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Description

Nexmo offers SMS and Voice APIs through REST and SMPP. We offer unparalleled message and voice call deliverability at an optimum price point.

Nexmo Verify API - allows you to verify whether one of your end users has access to a specific phone number.

We would like to test the Verify endpoints:

https://api.nexmo.com/verify/{json,xml}

Full documentation: https://docs.nexmo.com/api-ref/verify

Nexmo Verify SDK - allows you to add password replacement, 2-factor authentication, or user and transaction verification to your App with a single line of code.

We would like to test the Verify SDK:

https://api.nexmo.com/sdk/*

Full documentation: https://docs.nexmo.com/libraries/verify-sdk

Nexmo SMS API - allows you to send SMS anywhere in the world.

We would like to test the SMS endpoints:

https://rest.nexmo.com/sms/{json,xml}

Full documentation: https://docs.nexmo.com/api-ref/sms-api

Nexmo SMS SC API - allows you to send SMS to US through our pre-approved Short Code.

We would like to test the SMS SC endpoints:

https://rest.nexmo.com/sc/us/2fa/{json,xml}

https://rest.nexmo.com/sc/us/alert/{json,xml}

Full documentation: https://docs.nexmo.com/api-ref/us-shared-short-code-api

Nexmo TTS/Voice API - allows you to send TTS calls anywhere in the world.

We would like to test the TTS/VoiceAPI endpoints:

https://api.nexmo.com/tts/{json,xml}

https://api.nexmo.com/tts-prompt/{json,xml}

https://rest.nexmo.com/call/{json,xml}

Full documentation: https://docs.nexmo.com/api-ref/voice-api

Nexmo Number Insight API - allows you to retrieve information for a given number.

We would like to test the NI endpoints:

https://rest.nexmo.com/ni/{json,xml}

Full documentation: https://docs.nexmo.com/api-ref/number-insight

Nexmo Dashboard

https://dashboard.nexmo.com/

Nexmo Admin Dashboard

https://a.nexmo.com/

How do we decide how critical a vulnerability is?

The criticality of a vulnerability will be decided solely based on the risk to end users and impact for the business if it were exploited, rather than the poorness of the application design. If a vulnerability requires significant preconditions to be exploited, and these conditions make the attack less likely, the vulnerability is likely to be lower than if it were without preconditions.

Some general guidance on the rewards likely to be given for common classes of vulnerability are given below. This is by no means a comprehensive list, and please feel free to look for vulnerabilities not listed here - this is encouraged, as the whole value of third party testing is that it finds issues we hadn't considered! Please note: criticality always remains at our discretion regardless of the guidelines below.

High:
- Remote code execution
- Authentication vulnerabilities that allow total bypass of the usual authentication process (both one-factor and two-factor)
- Authorization flaws that allow one user to perform actions on behalf of other users (API or Dashboard)
- Compromise of another account's API secret
- Serious financial manipulation e.g. ability to top up for free or use other users' credit
- Stored XSS which affects other users
- Successful SQL injection retrieving important database data
- CSRF with serious impact

Medium or Low, depending on impact:
- Ability to bypass some dashboard functionality restrictions within an account, if the impact is moderate
- Reflected XSS
- Stored XSS that affects only one user (likely to be low or not rewarded)
- Session management issues that don't directly lead to account compromise
- Improper rate limiting which may facilitate brute force
- CSRF with moderate impact

Out of scope

  • deliverability of messages
  • uptime and HTTP/HTTPS availability of *.nexmo.com
  • help.nexmo.com
  • developers.nexmo.com
  • Denial of Service attacks
  • vulnerabilities that arise from the use of shared browsers
  • best practices, unless it's a serious omission on our part (e.g. disagreeing with our password policy, or pointing out that we don't have DMARC, are not likely to be rewarded)
  • information exposure, unless it's serious and unguessable information that is useful to an attacker
  • out of date WordPress plugins: the exception is if the new version includes security fixes AND it was released more than 3 months ago, or 1 month if it contains fixes for critical issues. We generally keep our software up to date but must be given a reasonable time frame for deploying patches. The above are industry standards for reasonable patch times.

We build and operate a number of applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on this page will be evaluated and they might be eligible for cash rewards.

Platform

CDNetworks, EdgeCast ADN, nginx, Java 8, Jetty, WordPress

The terms for running and engaging in a security program always apply.

Specs

  • Rewards

    High: $1,000
    Medium: $300
    Low: $100

  • Disclosure Rules

    Responsible disclosure

  • Access Level

    Open for all

  • Response Time / Rate

    1 - 3 weeks / 99%

  • Researcher Feedback

    Average of all evaluations