Hall of fame

At Greenhost, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. This is why we have a Responsible disclosure policy, allowing independent researchers to find and report vulnerabilities to us that may exist in our systems, in exchange for a reward.

As an additional thank-you gift, this page lists –with their permission– the security researchers that reported serious vulnerabilities. We also included an explaination of the vulnerability, and how it was fixed by our team.

Security researchers

Mayank Mukhi

We run a small website helping customers onboard on some of our projects / products. This website exposed the its source code through version control system folder available publicly on the website. A potential attacker could have learned about the internals of this website. This was fixed by removing public access to this system folder.

  • Rewarded: € 50
  • Reported on: 24 Jan 2023

Manohar Kommalapati

We run a contact form, allowing customers and potential customer to reach us. It implements a rate limit on the messages, to prevent abuse. However, this rate limit could be bypassed by forging the message so they seem to be coming from an internal system. A potential attacker could have flooded our system with messages, delaying the handling of messages from legitimate customers. This was fixed by improving the detection of the origin of the message.

  • Rewarded: € 100
  • Reported on: 4 Nov 2022

Nicolás Armua

We run a status page, to allow our customer to see the health of our infrastructure and receive mail alerts about it. The open-source software running this page was left unmaintained, and security issues were discovered but not fixed. One security issue in particular would have allowed a potential attacker to have total control over the software, most importantly allowing them to collect email address of subscribed customers. This was fixed by changing the software to a better maintained fork.

  • Rewarded: € 100
  • Reported on: 26 Apr 2022

Vladimir adsec2s Vlasov

We used a script to migrate some of our open source projects to a separate GitLab instance. That script was open-sourced too, however working access token were left public. This would enable a potential attacker with write access to our Stackspin repositories, and read access to some of our internal repositories. This was fixed by revoking the tokens.

  • Rewarded: € 100
  • Reported on: 6 Jun 2021

0xdln

Our open-source work suite Stackspin comes with the Rocket.Chat application for communication. An issue was discovered in the application, allowing potential attackers to see usernames and potentially some messages of the application. We missed the announcement of this issue, and thus deployed the fix later than we expect of our security standards.

  • Rewarded: € 50
  • Reported on: 4 Jun 2021

Himanshu

Our customers have an access to our service center, with a username and a password. If a customer has suspicion that someone is illegitimately accessing it, they might want to have a way to disconnect other sessions, or may assume that changing their password would do that. This used to not be the case, which would have let illegitimate users access the account for a few hours after the password change.

  • Rewarded: € 50
  • Reported on: 6 Nov 2020

Sandip Dhanwai

During an order, the browser sends an order id and a authentication token. Before the payment, the authentication token was not checked against the order id. This would allow a potential attacker to access the name, phone number, mail address of current and past customers having made an order by guessing their id, by doctoring a PayPal link. This was fixed by also checking the authentication token during this step.

  • Rewarded: € 1000
  • Reported on: 1 Sep 2020

Shrestha Anand

During an order, the browser sends the order id via the URL to a webpage. It was possible for a potential attacker to inject JavaScript code by appending it to the order id. This was fixed by using the order object id instead of the provided value.

  • Rewarded: € 800
  • Reported on: 27 Jun 2020

Sander Wind, Stan Faas and Hans Gillis

Our customers have the ability to register domain names and manage their DNS records. Previously, it was possible to register and handle the DNS of some Greenhost-owned domain names. This could have potentially allowed an attacker to run a man in the middle attack, if the suspicious activity went unoticed by our manual processes. We have addressed this issue by improving the logic of domain registrations.

  • Rewarded: € 1500
  • Reported on: 16 Apr 2020

Rahul Kumar Rai

We have a web form on our website that can be used to send feedback. It used to send a reply to the mail address that was provided. It is open to the public and we can not verify the address. In a recent update of the website this message was then delivered to our ticket system that auto-replied to the address provided. As such, this would have allowed an attacker to send spam or malicious links to random addresses. This was fixed by reverting to the old behaviour of not sending automatic replies for the web form.

  • Rewarded: € 150
  • Reported on: 29 Jan 2020