Home / Bug Bounty Report

Bug Bounty Report

Bug Bounty Report

Bentley is committed to keeping our users’ data safe and secure, and being transparent about the way we do it. Our robust privacy and data protection, security, and compliance standards and certifications attest to that.

Bentley Systems’ Responsible Disclosure Program Guidelines

At Bentley Systems, we take the security of our systems and products seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. 

1. Generic Guidelines

Bentley Systems requires that all researchers

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use the communication channels defined below to report vulnerability information to us.
  • Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.
If you follow these guidelines when reporting an issue to us, we commit
 
  • Not to pursue or support any legal action related to your research.
  • To work with you to understand and resolve the issue quickly.

2. Code of Conduct and Legal Responsibilities

When conducting vulnerability research according to this policy, we consider this research to be

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (orsimilar state laws), and we will not initiate or support legal action against you foraccidental, good-faith violations of this policy.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basisfor work done under this policy.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our communication channels defined below before going any further.

3. Scope / Out of Scope

ScopeOut of Scope
  • All _.bentley.com subdomains
  • All Bentley Systems desktop products (Only CONNECT Edition and Later)
  • All Bentley Systems mobile apps
  • All Bentley Cloud Applications and Services
  • All Bentley Open-Source Projects (including imodeljs.org)
  • Bentley Systems’ Infrastructure (VPN, Mail Server, SharePoint, Skype, etc.)
  • Findings from physical testing, such as office access (e.g., open doors, tailgating)
  • Findings derived primarily from social engineering (e.g., phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • Any services hosted by 3rd-party providers and services
  • https://www.plaxis.ru

4. Eligible Vulnerabilities / Exclusions

Eligible VulnerabilitiesExclusions
  • Remote Code Execution
  • DLL hijacking
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Identification and Authentication
  • Insecure direct object reference (IDOR)
  • Cross-Site Request Forgery (CSRF)
  • Directory Traversal
  • Sensitive data exposure
  • Session misconfiguration
  • Broken Access control (Privilege Escalation)
  • Security misconfiguration
  • Cross-Origin resource sharing (CORS)
  • Open redirect
  • Subdomain takeover*
  • Business Logic Issues
  • Hyperlink injection
  • Word-press issues
  • DDoS
  • DoS, and application-level DoS (unless the response is asymmetrical compared to the initial request)
  • Publicly released bugs in internet software within 15 days of their disclosure
  • Self-XSS (we require evidence on how the XSS can be used to attack another user)
  • X-Frame-Options related (clickjacking)
  • Header injection (unless you can show how they can lead to stealing user data)
  • Issues that are non-exploitable but lead to crashes, stack trace, and similar information leak or stability issues.
  • Version exposure (unless you deliver a PoC of working exploit).
  • Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc.)
  • Spam or Social Engineering techniques, including SPF and DKIM issues
  • Rate limit vulnerability not on a login functionality (unless a valid exploit PoC provided)
  • XMLRPC.php file is enabled leading to DoS attack
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
  • Anything from an automated scan
  • Anything that is public by default (e.g. public keys, config files without sensitive information, etc.)
  • Anything not under Bentley Systems control (e.g. Google Analytics, etc.)
  • Theoretical issues that lack practical severity
  • UI and UX bugs and spelling mistakes
  • Credentials found at breach forums like [https://breachforums.st, https://phonebook.cz] etc.
  • CAA certificate missing
  • User enumeration in WP, when only a few Bentley employees, who posted on the website, are exposed

*Please report only after you have a PoC in the form of two screenshots with timestamps and a subdomain. These screenshots must prove that subdomain was free for at least for one hour. Scanning tools often catch the short period of time while changes to the subdomain are being executed, which may appear to be a vulnerability but is not: the DNS record is deleted shortly afterward. Submitting the screenshots will avoid reports of false vulnerabilities, saving time for both you and our team. 

Reports with a partial PoC (one timestamp proof or none at all) will not be treated as a First report. 

NB! Actual takeover of reported subdomain as PoC is forbidden. 

5. How to Report

If you believe you’ve found a security vulnerability in one of our products or platforms, please fill in the form on this page. 

A good practice is to think whether the discovered vulnerability puts at risk:

  • Bentley Systems clients’ information.
  • Bentley Systems software.
  • Bentley Systems reputation.

Make sure to have included the following information:

  • Detailed description of the vulnerability containing info such as URL, full HTTP request/response, and type of vulnerability.
  • Information necessary to reproduce the issue.
  • Proof of concept including practical severity and attack scenario, indication of a potential risk only is hard to evaluate and usually such report is not approved.
  • If applicable, a screenshot and/or video of the vulnerability.
  • Contact information, name, email, phone number, location. Submissions without this information will not be considered.
  • IMPORTANT NOTE. You may only make the initial submission through the form. If you have any questions not mentioned in a form, please e-mail us at [email protected].

6. Rules of Engagement

  • DoS is strictly prohibited.
  • Any form of credentials brute forcing is strictly prohibited.
  • Public disclosure of a reported vulnerability before it has been fixed is prohibited.
  • You may not destroy or degrade our performance or violate the privacy or integrity of our users and their data.
  • Exploiting vulnerabilities (other than a generic PoC) is strictly prohibited and will be prosecuted according to applicable law.
  • If a vulnerability provides unintended access to data, you must
    • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
    • Cease testing and
    • Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
      information.
  • Bentley will not respond to extortion or other coercive, criminal acts (e.g. demands for payment up front in exchange for not exploiting a found vulnerability.

7. Public Disclosure

Unless otherwise informed by our team that the vulnerability has been resolved, please withhold public disclosure of the vulnerability for 90 days. Failure to do so will result in legal action.

8. Duplicates

  • Only the first researcher to report an issue will be entitled for a reward.
  • The reports of the same issue in different environments are not rewarded and closed as duplicates. (e.g. dev-*-bentley.com, qa- dev-*-bentley.com, prod- dev-*-bentley.com) 
  • The reports of the same issue in different deployment regions are not rewarded and closed as duplicates. (e.g. *.us.bentley.com, *.eus-bentley.com, *.in.-*-bentley.com)
  • Multiple instances of the same issue will only be compensated to a max of 3x the reward sum. (e.g. expires SSL certificate on 25 domain and subdomains will count 3×100 USD, and not 25×100 USD)

9. Vulnerabilities Triage

Once your submission is received:
  • The reported vulnerability will be analyzed.
  • You will be informed if the issue is closed without a reward. We do not send a detailed explanation of the resolution.
  • If we determine the submission is valid and meets the requirements of this policy, you may receive a reward after the fix is implemented. Our commitment is to reward your efforts within 90 days.

10. Compensation

Vulnerability ExamplesPrice Range (USD)**
Brocken Access control (Privilege Escalation)250-450
Business Logic Issues100-300
Cross-Origin Recourse Sharing (CORS)100-200
Cross-Site Request Forgery (CSRF)150-250
Cross-Site Scripting (XSS)100-200
DLL hijacking50
Hyperlink injection50
Identification and Authentication250-450
Insecure direct Object Reference (IDOR)250-450
Open redirect50-150
Other0-500
Remote Code Execution600
Security misconfiguration50-250
Sensitive data exposure50-200
Secrets leak200-500
Session misconfiguration50-200
SQL Injection250-500
 

NOTE. A report will not be eligible for a financial reward (even if Bentley Systems accepts and addresses it) in some situations including, but not limited to, the following: 

  • report was submitted by current of former employee of Bentley Systems
  • report was submitted by the commercial entities or individuals conducting formal/commercial security testing on behalf of Bentley Systems customers.
  • report was submitted by the employee or subcontractors of a company that is a customer of Bentley Systems services.
  • report was submitted by the employee of the company that is a Bentley System’s service provider.
  • report was submitted by an individual residing in a country that is currently subject to international sanctions.
  • Bentley System’s legal department fails to associate researcher’s PayPal email address and the identity; meaning that you cannot get the reward to somebody’s else account.

**Note that multiple instances of the same issue will only be compensated to a max of 3x the price.

**Reports for an issue in different environments of the product (dev-, qa-, prod-) will be counted as one.

We reserve the right to change this policy at any time and for any reason and cannot guarantee compensation for all reports. Compensation is only provided through PayPal. 

IMPORTANT. Please make sure to send only a valid PayPal address: we will be unable to consider addresses other than the original for payment. If the transaction fails for any reason (i.e. PayPal refuses the transaction; receiving bank cannot accept payment; max amount limit is reached, acceptance of payments only through the website or other instructions, etc.), the payment will be cancelled and will not be resubmitted.

Bentley Systems reserves the right to withdraw the Responsible Disclosure Program and its compensation system at any time without prior notice.

File a Report

Table of Contents

Bentley Systems requires that all researchers

  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use the communication channels defined below to report vulnerability information to us.
  • Keep information about any vulnerabilities you have discovered confidential between you and Bentley Systems until it is fixed.
If you follow these guidelines when reporting an issue to us, we commit
 
  • Not to pursue or support any legal action related to your research.
  • To work with you to understand and resolve the issue quickly.

When conducting vulnerability research according to this policy, we consider this research to be

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (orsimilar state laws), and we will not initiate or support legal action against you foraccidental, good-faith violations of this policy.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basisfor work done under this policy.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our communication channels defined below before going any further.

Scope
  • All _.bentley.com subdomains
  • All Bentley Systems desktop products (Only CONNECT Edition and Later)
  • All Bentley Systems mobile apps
  • All Bentley Cloud Applications and Services
  • All Bentley Open Source Projects (including imodeljs.org)
Out of Scope
Eligible Vulnerabilities
  • Brocken Access control (Privilege Escalation)
  • Business Logic Issues
  • Cross-Origin resource sharing (CORS)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Directory Traversal
  • DLL hijacking
  • Hyperlink injection
  • Identification and Authentication
  • Insecure direct object reference (IDOR)
  • Open redirect
  • Other
  • Remote Code Execution
  • Security misconfiguration
  • Sensitive data exposure
  • Session misconfiguration
  • SQL Injection
  • Subdomain takeover*
  • Word-press issues
Exclusions
  • Publicly released bugs in internet software within 15 days of their disclosure
  • Spam or Social Engineering techniques, including SPF and DKIM issues
  • Self-XSS (we require evidence on how the XSS can be used to attack another user)
  • X-Frame-Options related (clickjacking)
  • Rate limit vulnerability (unless a valid exploit PoC provided)
  • XMLRPC.php file is enabled leading to DoS attack
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
  • Header injection )unless you can show how they can lead to stealing user data)
  • Version exposure (unless you deliver a PoC of working exploit).
  • Issues that are non-exploitable but lead to crashes, stack trace, and similar information leak or stability issues.
  • Denial of Service
  • Anything requiring outdated browsers, platforms, or crypto (i.e. TLS BEAST, POODLE, etc.)
  • Anything from an automated scan, anything that is already public, or anything not under Bentley Systems control (e.g. Google Analytics, etc.)
  • Theoretical issues that lack practical severity

*Please report only after you have a PoC in the form of two screenshots with timestamps and a subdomain. These screenshots must prove that subdomain was free for at least for one hour. Scanning tools often catch the short period of time while changes to the subdomain are being executed, which may appear to be a vulnerability but is not: the DNS record is deleted shortly afterward. Submitting the screenshots will avoid reports of false vulnerabilities, saving time for both you and our team.

Reports with a partial PoC (one timestamp proof or none at all) will not be treated as a First report.

NB! Actual takeover of reported subdomain as PoC is forbidden.

If you believe you’ve found a security vulnerability in one of our products or platforms, please fill in the form on this page.

Make sure to have included the following information:

  • Detailed description of the vulnerability containing info such as URL, full HTTP request/response, and type of vulnerability.
  • Information nece ssary to reproduce the issue.
  • If applicable , a screenshot and/or video of the vulnerability.
  • Contact information, name, email, phone number, location. Submissions without this information will not be considered.
  • IMPORTANT NOTE. You may only make the initial submission through the form. If you have any questions not mentioned in a form, please e-mail us at [email protected].
  • DoS is strictly prohibited.
  • Any form of credentials brute forcing is strictly prohibited.
  • Public disclosure of a reported vulnerability before it has been fixed is prohibited.
  • You may not destroy or degrade our performance or violate the privacy or integrity of our users and their data.
  • Exploiting vulnerabilities (other than a generic PoC) is strictly prohibited and will be prosecuted according to applicable law.
  • If a vulnerability provides unintended access to data, you must
    • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and
    • Cease testing and
    • Submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary
      information.
  • Bentley will not respond to extortion or other coercive, criminal acts (e.g. demands for payment up front in exchange for not exploiting a found vulnerability.

Unless otherwise informed by our team that the vulnerability has been resolved, please withhold public disclosure of the vulnerability for 90 days. Failure to do so will result in legal action.

Only the first researcher to report an issue or similar issues will be considered under this policy. This includes reports of the same issue in different environments (e.g., dev-, qa-, prod-)

Once your submission is received:

  • The reported vulnerability will be analyzed.
  • If we determine the submission is valid and meets the requirements of this policy, you may receive compensation.
  • You will be informed when the issue is fixed.
Vulnerability Examples Price Range (USD)**
Brocken Access control (Privilege Escalation) 200-400
Business Logic Issues 100-300
Cross-Origin Recourse Sharing (CORS) 100-200
Cross-Site Request Forgery (CSRF) 100-200
Cross-Site Scripting (XSS) 50-150
Directory Traversal 100-200
DLL hijacking 100-200
Hyperlink injection 50
Identification and Authentication 200-400
Insecure direct Object Reference (IDOR) 200-400
Open redirect 50-150
Other 0-500
Remote Code Execution 500
Security misconfiguration 50-200
Sensitive data exposure 50-500
Session misconfiguration 50-150
SQL Injection 200-400
**Note that multiple instances of the same issue will only be compensated to a max of 3x the price.

**Reports for an issue in different environments of the product (dev-, qa-, prod-) will be counted as one.

We reserve the right to change this policy at any time and for any reason and cannot guarantee compensation for all reports. Compensation is only provided through PayPal. 

IMPORTANT. Please make sure to send only a valid PayPal address: we will be unable to consider addresses other than the original for payment. If the transaction fails for any reason (i.e. PayPal refuses the transaction; receiving bank cannot accept payment; max amount limit is reached, acceptance of payments only through the website or other instructions, etc.), the payment will be cancelled and will not be resubmitted.

Bentley Systems reserves the right to withdraw the Responsible Disclosure Program and its compensation system at any time without prior notice.

20% Off Bentley Software

Deal Ends Friday

Use Coupon Code "THANKS24"

Celebrate Infrastructure Delivery & Performance Excellence

The 2024 Year in Infrastructure
and Going Digital Awards

Nominate a project for the most prestigious awards in infrastructure! Extended deadline to enter is April 29th.