ONLYOFFICE on HackerOne: 2022 overview

About ONLYOFFICE bounty program

Last December, we finally made a decision to launch a bug bounty program on HackerOne to boost our security improvement efforts by inviting professional hacker community for testing ONLYOFFICE solutions.

How does it work? On HackerOne, vulnerability testing enthusiasts are encouraged to run a variety of facilitated tests on a range of our solutions within the program’s scope. In return, we pay out bounties proportional to the issue severity and resolve them within a controlled timeframe.

To have a better grip on the first stage, we are keeping our program private. The reporting is invitation-based with pre-defined invitation quotas and candidate curation. In the future, we are planning to open the program to the wider community and let in the organic inflow of hackers.

Read our blog to learn more about ONLYOFFICE bug bounty program essentials.

Brief report

Throughout this year, we have invited 193 hackers to our program including selected professionals from the platform’s top performers and volunteers who reached out to us to share their findings.

Up to the moment of writing this article, we have received a total of 42 submissions out of which we triaged and resolved 25 vulnerabilities with varied degree of severity. Among the resolved were 1 critical issue, 8 of high severity, and 16 of lower grades. The total amount of bounties paid is $4200.

The busiest period happened to be in the summer months, with August being the most performative.

Notably, some enthusiastic hackers submitted multiple issues at once, with a top participant reporting as many as 8 issues.

As for our team’s performance, here are the average frameworks for issue handling over the period:

Triage time: 12 days

Bounty time: 17 days

Resolve time: 34 days

Achievements

HackerOne program helped us spot some unseen vulnerabilities within our scope, and occasionally outside of it, and facilitate our work with ease as opposed to manual report handling in the past.

Although focusing on ONLYOFFICE Docs, we received peculiar findings in solutions outside of our target product, such as mobile apps, desktop editors, and Workspace collaboration platform.

For instance, we were able to eliminate privilege escalation loophole in calendars and resolve previously unknown issues in the section Wiki.

A particularly tangible work has been done in WebSocket exploitation scenarios in collaboration with Iain Wallace, Principal Security Consultant with Nettitude who reached out with an impressive research on the issue.

“HackerOne is a way more comfortable platform to work with complex issue analysis thanks to provided reporting tools. It saved us a great deal of time otherwise spent using casual communication methods.” — concludes Pavel from ONLYOFFICE Security team.

Future objectives

We are prolonging our bounty program for the next year, hoping to increase the pace and get ready for a public program launch. We are going to expand our quotas and likely widen the scope with several new components.

Want to join the program and submit your findings? Send us an email titled ONLYOFFICE HackerOne bounty at marketing@onlyoffice.com and describe what you have found along with your username.