We will:

Respect the safe harbor clause that you can find below
Collaborate with you and reply to your submissions as fast as possible

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not to discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube or other platforms)
• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario. How will this affect us exactly?
• Not to use automatic scanners. Be creative and do it yourself! We cannot accept any submissions found by using automatic scanners and which are not proven to cause a security risk
• Not to obtain, modify, or destroy any information when an identified vulnerability allows you to do so other than to proof the vulnerability
• Not to perform denial of service or load tests

Rewards:

Although this is a VDP without rewards, we may provide a bonus in certain circumstances at our discretion:

• A report is obviously based on a high effort to identify the vulnerability
• A vulnerability is very critical in terms of severity and/or impact to Arbonia or our customers
• Any other aspect where we think you deserve a reward

We also use the pool of reporters in this VDP as a source for people we potentially invite into our private bug bounty program.

This remains at the discretion of Arbonia Services AG to award.

Our worst-case scenarios are:

• Loss / exposure of customer or otherwise sensitive data
• Privilege escalation / authentication bypass
• Disruption of operations, delivery delays
• Inconsistent data and application logic / SQL Injections, remote code execution, cross-site scripting aso.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

We are interested in real vulnerabilities that have demonstrable impact, not general missing best practices that have no impact on security.

Application

• Email bombing
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact

Infrastructure

• Open ports
• TLS/SSL certificate related issue such as weak ciphers or outdated protocols
• Missing OCSP stapling

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

This program follows Intigriti's triage standards

What is meant with mail bombing?

It's not allowed to generate a lot of mails with your tests and actions (for example at a contact formular). Dozens of mails in a short time disrupts our operations and must be prevented at all costs.

Do I need an Intigriti account to provide a submission?

Yes, this is important to keep every finding tracked, you get the reputation points and your actions will be indicated as bug bounty researcher.

Why do I have to use the Intigriti address/agent/header?

This helps to indicate which actions are performed by legitimate bug bounty researcher or by real attackers. If the action or the IP is not related to Intigriti, your requests or your IP address may be blocked on our systems.

I found a vulnerability at "subdomain.domain.com", even only "domain.com" is in scope. Can I provide the submission too?

If there is a wildcard at the domain (for example https://*.arbonia.com), the finding is in the scope and legitimate. If the domain is fixed, without any subdomain or wildcard, any testing won't be protected by the safe harbor clause and the submission will be rejected and marked as "out of scope".

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.