submit bug report: https://cad.onshape.comPolicy
Onshape Security Bug Identification Program (Effective as of April 15, 2015)
Rules for you
Don’t attempt to gain access to another user’s account or data.
Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Don’t publicly disclose a bug before it has been fixed.
Only test for vulnerabilities on sites you know to be operated by Onshape.
Do not impact other users with your testing. If you are an Onshape user, we may suspend or terminate your Onshape account and ban your IP address if you do so.
Don’t use scanners or automated tools to find vulnerabilities.
Don't use automated burp scanning capabilities in any way such as using Burp extensions, Burp professional scanner, etc.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Don’t publicize in any way your participation in, or the existence of, Onshape’s security bug identification program.
Use the security@onshape.com email address for reporting vulnerabilities.
Send us a well formed report describing every step in detail for steps to reproduce.
Rules for us
We will respond as quickly as possible to your submission.
We will keep you updated as we work to fix the bug you submitted.
We will not take legal action against you if you play by the rules.
What does not qualify?
Bugs that are not related to security.
Vulnerabilities that Onshape determines to be an accepted or acceptable security risk.
Bugs that show login cookie working on logout
Bugs that show any session fixation aspects
Bugs that show rate limiting aspects
Bugs, such as XSS, that only affect legacy browser/plugin versions.
Bugs, such as XSS due to file uploads not on *.onshape.com
Bugs, such as XSS requiring unlikely user interaction.
Bugs, such as timing attacks or user enumeration via password reset, that prove the existence of a private document or user.
Bugs related to XSRF that are on un-authenticated portion of the site
Bugs related to XSRF on GET requests or logout requests, etc.
Insecure cookie settings for non-sensitive cookies.
Disclosure of public information and information that does not present significant risk.
Bugs that have already been submitted by another user, that we are already aware of Clickjacking a static site.
Bugs related to discovery by automated Burp plugins (extensions) e.g. param miner
Bugs related to web cache poisoning, client cache manipulation, etc.
Bug requiring users to click on things, etc.
Bugs in content/services that are not owned/operated by Onshape (including, without limitation,
www.onshape.com, forum.onshape.com, and onshape.zendesk.com).
Scripting or other automation and brute forcing of intended functionality.
Impersonating an Onshape user.
Note
Misconfigurations such subdomain takeovers, OSINT based attacks such as API keys exposed via code repos, other OSINT based attacks such as exposed credentials, etc. are welcomed, however no monetary value will be awarded for those.
Other terms and conditions
Awards made by us pursuant to this program may include swag, bounty payments, or a combination thereof.
We determine bounty payments based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $100. Note that low-risk issues may not qualify for a bounty.
We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future. The amount of any bounty payment will be determined by Onshape in our sole discretion. In no event shall we be obligated to pay you a bounty for any submission. All bounty payments shall be considered gratuitous.
The timing of any award made hereunder shall be determined at Onshape’s sole discretion. All bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship. Payment is conditioned on you providing us with all information that we might reasonably request in order to make payment to you (including, in our discretion, Form W-9 or W-8_BEN)
You must keep confidential the terms and conditions of the program, your participation in the program, any submissions you make hereunder, and any award you may receive from us. If you are an Onshape user, we may suspend or terminate your Onshape account and ban your IP address if you breach these confidentiality provisions.
Your submission of any bug to us constitutes your acknowledgment of and agreement to all of the foregoing rules, terms and conditions.
