The casavi Bug Bounty Program

The casavi bug bounty program rewards hacking experts for making us aware of bugs or weaknesses inside our system so that we can fix them before any harm is done. We believe that responsible disclosure should be the standard.

How it works

  1. Make sure you understand the scope and adhere to our program rules
  2. Apply for our program by writing an email to security@casavi.de
  3. Find a bug
  4. Email us the bug

About casavi

casavi is a software as a service providing digital solutions to property management companies. It provides them with a customer portal including 24/7 document access, ticketing system and messaging for their customers.

Scope

This Program solely targets our web application accessible under https://staging.mycasavi.com. The report must be reproducible on currently supported versions and operating systems. Vulnerabilities need to be documented in a way that they can be reproduced. Please send screen-shots, code, video; whatever helps to understand the flaw.

Non-Qualifying Vulnerabilities

  • Issues located within third-party components
  • Social Engineering
  • Physical attacks
  • Research that results in spam, harassment or any kind of unauthorized communication
  • Using data acquired by compromising customer or employee accounts
  • Denial of service attacks
  • Vulnerabilities in our marketing websites (casavi.de)
  • Issues in our DNS domains
  • Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability.
  • CORS configuration

Eligibility and Disclosure

  • You must agree and comply with our program rules
  • You must be the first person to responsibly disclose an unknown issue
  • You must not publicly disclose the vulnerability prior to our public disclosure

We will review each report thoroughly and get in contact with you as soon as possible. Please allow a week for our initial response and try to be fair when attacking our server and not interrupt the service.

Rewards

Rewards are awarded (apart from our deep respect and thankfulness) depending on the severity up to 250 EUR.

We will carefully classify each report in these categories and choose a reward.