Arbonia VDP program - Bug Bounty Program

Description

We are happy to announce our public VDP program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed! Arbonia is a focused building components supplier active in the area of interior doors made of wood and glass. The company, which is listed on the SIX Swiss Exchange, is active worldwide with its own distribution companies as well as with representatives and partners in more than 70 countries. Its main production sites are located in Switzerland, Germany, Poland, Spain, Portugal, France and Czech Republic. A total of around 3'500 employees work for the Arbonia Group.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement

@intigriti.me

Required

User agent

User-Agent: Intigriti-VDP-<default user-agent>

Automated tooling

max. 2 requests /sec

Request header

X-BugBounty-VDP:Intigriti-{Username}

We will:

Respect the safe harbor clause that you can find below
Collaborate with you and reply to your submissions as fast as possible

By participating in this program, you agree to:

Respect the Community Code of Conduct
Respect the Intigriti Terms and Conditions
Respect the scope of the program
Not to discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube or other platforms)
Provide detailed but to-the point reproduction steps
Include a clear attack scenario. How will this affect us exactly?
Not to use automatic scanners. Be creative and do it yourself! We cannot accept any submissions found by using automatic scanners and which are not proven to cause a security risk
Not to obtain, modify, or destroy any information when an identified vulnerability allows you to do so other than to proof the vulnerability
Not to perform denial of service or load tests

Rewards:

Although this is a VDP without rewards, we may provide a bonus in certain circumstances at our discretion:

A report is obviously based on a high effort to identify the vulnerability
A vulnerability is very critical in terms of severity and/or impact to Arbonia or our customers
Any other aspect where we think you deserve a reward

We also use the pool of reporters in this VDP as a source for people we potentially invite into our private bug bounty program.

This remains at the discretion of Arbonia Services AG to award.

Safe harbour for researchers is applied

Domains

https://*-garant.de

No bounty

Wildcard

Different plattforms of a subsidiary.

https://*.arbonia-doors.ch

No bounty

Wildcard

Homepage of Arbonia's division doors.

https://*.arbonia-doors.com

Wildcard

Homepage of Arbonia's division doors.

Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.