By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Do not execute intrusive commands within production environments
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent also not POCs.

Validation times

We will always try to validate and accept your submissions as quickly as possible, for specific times you can check the average in the programme sidebar.

Our worst-case scenarios are:

• Publishing fake news on our website.
• Obtaining sensitive user data.
• Command execution on production services.

General

• If a reported vulnerability is already known to the company, it will be marked as duplicate.
• Vulnerabilities without realistic exploit scenario(s) or realistic attack surface(s) are assigned a severity of "None".
• Spam, social engineering and physical intrusion are not allowed under any circumstances.
• DoS/DDoS attacks or brute force attacks with more than 2 requests per second are not allowed.
• Submissions based on software that no longer receives security updates will not be considered.
• Attacks that require physical access to a victim's computer/device, man-in-the-middle or compromised user accounts are not permitted.
• Zero day vulnerabilities are out of scope for the first 14 days following the release of a patch or mitigation.
• Submissions without proof of concept will not be considered.
• Multiple submissions based on the same piece of code, misconfiguration or dependency will be treated as a single submission. The deciding factor will be whether the problem can be fixed in one go.
• All domains not listed as in scope above.

Application

• Credential disclosure without proven business impact
• Pre-Auth Account takeover/OAuth squatting
• CORS misconfiguration on non-sensitive endpoints
• Cross-site Request Forgery with no or low impact
• Reverse tabnabbing
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• Homograph attacks
• XMLRPC enabled
• Not stripping metadata of files

This program follows Intigriti's contextual CVSS standard

Do you have credentials to login into the applications?

No, we do not provide credentials for testing, but you are welcome to create your own account.

Can I give feedback to your program?

Yes certainly and we would appreciate use this feedback form for it.

Dos your program make use of retests?

Sometimes we will ask you to retest and offer up to a €50 bonus for doing so. If this offer is declined or expires and the submission is closed, we will not accept a submission with the same cause from the same researcher.