Bug Bounty Report
Bentley is committed to keeping our users’ data safe and secure, and being transparent about the way we do it. Our robust privacy and data protection, security, and compliance standards and certifications attest to that.
Bentley Systems’ Responsible Disclosure Program Guidelines
At Bentley Systems, we take the security of our systems and products seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
1. Generic Guidelines
Bentley Systems requires that all researchers
- Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope set out below.
- Use the communication channels defined below to report vulnerability information to us.
- Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.
- Not to pursue or support any legal action related to your research.
- To work with you to understand and resolve the issue quickly.
2. Code of Conduct and Legal Responsibilities
When conducting vulnerability research according to this policy, we consider this research to be
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (orsimilar state laws), and we will not initiate or support legal action against you foraccidental, good-faith violations of this policy.
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basisfor work done under this policy.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our communication channels defined below before going any further.
3. Scope / Out of Scope
| Scope | Out of Scope |
|---|---|
|
|
4. Eligible Vulnerabilities / Exclusions
| Eligible Vulnerabilities | Exclusions |
|---|---|
|
|
*Please report only after you have a PoC in the form of two screenshots with timestamps and a subdomain. These screenshots must prove that subdomain was free for at least for one hour. Scanning tools often catch the short period of time while changes to the subdomain are being executed, which may appear to be a vulnerability but is not: the DNS record is deleted shortly afterward. Submitting the screenshots will avoid reports of false vulnerabilities, saving time for both you and our team.
Reports with a partial PoC (one timestamp proof or none at all) will not be treated as a First report.
NB! Actual takeover of reported subdomain as PoC is forbidden.
5. How to Report
If you believe you’ve found a security vulnerability in one of our products or platforms, please fill in the form on this page.
Make sure to have included the following information:
- Detailed description of the vulnerability containing info such as URL, full HTTP request/response, and type of vulnerability.
- Information nece ssary to reproduce the issue.
- If applicable , a screenshot and/or video of the vulnerability.
- Contact information, name, email, phone number, location. Submissions without this information will not be considered.
- IMPORTANT NOTE. You may only make the initial submission through the form. If you have any questions not mentioned in a form, please e-mail us at [email protected].
6. Rules of Engagement
- DoS is strictly prohibited.
- Any form of credentials brute forcing is strictly prohibited.
- Public disclosure of a reported vulnerability before it has been fixed is prohibited.
- You may not destroy or degrade our performance or violate the privacy or integrity of our users and their data.
- Exploiting vulnerabilities (other than a generic PoC) is strictly prohibited and will be prosecuted according to applicable law.
- If a vulnerability provides unintended access to data, you must
- Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
- Cease testing and
- Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
information.
- Bentley will not respond to extortion or other coercive, criminal acts (e.g. demands for payment up front in exchange for not exploiting a found vulnerability.
7. Public Disclosure
Unless otherwise informed by our team that the vulnerability has been resolved, please withhold public disclosure of the vulnerability for 90 days. Failure to do so will result in legal action.
8. Duplicates
Only the first researcher to report an issue or similar issues will be considered under this policy. This includes reports of the same issue in different environments (e.g., dev-, qa-, prod-)
9. Vulnerabilities Triage
Once your submission is received:
- The reported vulnerability will be analyzed.
- If we determine the submission is valid and meets the requirements of this policy, you may receive compensation.
- You will be informed when the issue is fixed.
10. Compensation
| Vulnerability Examples | Price Range (USD)** |
|---|---|
| Brocken Access control (Privilege Escalation) | 250-450 |
| Business Logic Issues | 100-300 |
| Cross-Origin Recourse Sharing (CORS) | 100-200 |
| Cross-Site Request Forgery (CSRF) | 150-250 |
| Cross-Site Scripting (XSS) | 100-200 |
| DLL hijacking | 50 |
| Hyperlink injection | 50 |
| Identification and Authentication | 250-450 |
| Insecure direct Object Reference (IDOR) | 250-450 |
| Open redirect | 50-150 |
| Other | 0-500 |
| Remote Code Execution | 600 |
| Security misconfiguration | 50-250 |
| Sensitive data exposure | 50-200 |
| Secrets leak | 200-500 |
| Session misconfiguration | 50-200 |
| SQL Injection | 250-500 |
NOTE. A report will not be eligible for a financial reward (even if Bentley Systems accepts and addresses it) in some situations including, but not limited to, the following:
- report was submitted by the commercial entities or individuals conducting formal/commercial security testing on behalf of Bentley Systems customers.
- report was submitted by the employee or subcontractors of a company that is a customer of Bentley Systems services.
- report was submitted by the employee of the company that is a Bentley System’s service provider.
- report was submitted by an individual residing in a country that is currently subject to international sanctions.
- Bentley System’s legal department fails to associate researcher’s PayPal email address and the identity; meaning that you cannot get the reward to somebody’s else account.
**Note that multiple instances of the same issue will only be compensated to a max of 3x the price.
**Reports for an issue in different environments of the product (dev-, qa-, prod-) will be counted as one.
We reserve the right to change this policy at any time and for any reason and cannot guarantee compensation for all reports. Compensation is only provided through PayPal.
IMPORTANT. Please make sure to send only a valid PayPal address: we will be unable to consider addresses other than the original for payment. If the transaction fails for any reason (i.e. PayPal refuses the transaction; receiving bank cannot accept payment; max amount limit is reached, acceptance of payments only through the website or other instructions, etc.), the payment will be cancelled and will not be resubmitted.
Bentley Systems reserves the right to withdraw the Responsible Disclosure Program and its compensation system at any time without prior notice.
File a Report
Table of Contents
Bentley Systems requires that all researchers
- Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope set out below.
- Use the communication channels defined below to report vulnerability information to us.
- Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.
- Not to pursue or support any legal action related to your research.
- To work with you to understand and resolve the issue quickly.
When conducting vulnerability research according to this policy, we consider this research to be
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (orsimilar state laws), and we will not initiate or support legal action against you foraccidental, good-faith violations of this policy.
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basisfor work done under this policy.
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our communication channels defined below before going any further.
| Scope |
|---|
|
| Out of Scope |
|
| Eligible Vulnerabilities |
|---|
|
| Exclusions |
|
*Please report only after you have a PoC in the form of two screenshots with timestamps and a subdomain. These screenshots must prove that subdomain was free for at least for one hour. Scanning tools often catch the short period of time while changes to the subdomain are being executed, which may appear to be a vulnerability but is not: the DNS record is deleted shortly afterward. Submitting the screenshots will avoid reports of false vulnerabilities, saving time for both you and our team.
Reports with a partial PoC (one timestamp proof or none at all) will not be treated as a First report.
NB! Actual takeover of reported subdomain as PoC is forbidden.
If you believe you’ve found a security vulnerability in one of our products or platforms, please fill in the form on this page.
Make sure to have included the following information:
- Detailed description of the vulnerability containing info such as URL, full HTTP request/response, and type of vulnerability.
- Information nece ssary to reproduce the issue.
- If applicable , a screenshot and/or video of the vulnerability.
- Contact information, name, email, phone number, location. Submissions without this information will not be considered.
- IMPORTANT NOTE. You may only make the initial submission through the form. If you have any questions not mentioned in a form, please e-mail us at [email protected].
- DoS is strictly prohibited.
- Any form of credentials brute forcing is strictly prohibited.
- Public disclosure of a reported vulnerability before it has been fixed is prohibited.
- You may not destroy or degrade our performance or violate the privacy or integrity of our users and their data.
- Exploiting vulnerabilities (other than a generic PoC) is strictly prohibited and will be prosecuted according to applicable law.
- If a vulnerability provides unintended access to data, you must
- Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
- Cease testing and
- Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
information.
- Bentley will not respond to extortion or other coercive, criminal acts (e.g. demands for payment up front in exchange for not exploiting a found vulnerability.
Unless otherwise informed by our team that the vulnerability has been resolved, please withhold public disclosure of the vulnerability for 90 days. Failure to do so will result in legal action.
Only the first researcher to report an issue or similar issues will be considered under this policy. This includes reports of the same issue in different environments (e.g., dev-, qa-, prod-)
Once your submission is received:
- The reported vulnerability will be analyzed.
- If we determine the submission is valid and meets the requirements of this policy, you may receive compensation.
- You will be informed when the issue is fixed.
| Vulnerability Examples | Price Range (USD)** |
|---|---|
| Brocken Access control (Privilege Escalation) | 200-400 |
| Business Logic Issues | 100-300 |
| Cross-Origin Recourse Sharing (CORS) | 100-200 |
| Cross-Site Request Forgery (CSRF) | 100-200 |
| Cross-Site Scripting (XSS) | 50-150 |
| Directory Traversal | 100-200 |
| DLL hijacking | 100-200 |
| Hyperlink injection | 50 |
| Identification and Authentication | 200-400 |
| Insecure direct Object Reference (IDOR) | 200-400 |
| Open redirect | 50-150 |
| Other | 0-500 |
| Remote Code Execution | 500 |
| Security misconfiguration | 50-200 |
| Sensitive data exposure | 50-500 |
| Session misconfiguration | 50-150 |
| SQL Injection | 200-400 |
**Reports for an issue in different environments of the product (dev-, qa-, prod-) will be counted as one.
We reserve the right to change this policy at any time and for any reason and cannot guarantee compensation for all reports. Compensation is only provided through PayPal.
IMPORTANT. Please make sure to send only a valid PayPal address: we will be unable to consider addresses other than the original for payment. If the transaction fails for any reason (i.e. PayPal refuses the transaction; receiving bank cannot accept payment; max amount limit is reached, acceptance of payments only through the website or other instructions, etc.), the payment will be cancelled and will not be resubmitted.
Bentley Systems reserves the right to withdraw the Responsible Disclosure Program and its compensation system at any time without prior notice.
