By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Do not execute intrusive commands within production environments
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent also not POCs.

Validation times

We will always try to validate and accept your submissions as quickly as possible, for specific times you can check the average in the programme sidebar.

Our worst-case scenarios are:

• Publishing fake news on our website.
• Obtaining sensitive user data.
• Command execution on production services.

General

• If a reported vulnerability is already known to the company, it will be marked as duplicate.
• Vulnerabilities without realistic exploit scenario(s) or realistic attack surface(s) are assigned a severity of "None".
• Spam, social engineering, and phishing are not allowed. This includes any attack that requires luring a victim to an attacker-controlled domain.
• Submissions based on software that no longer receives security updates will not be considered.
• Attacks that require physical access to a victim's computer/device, man-in-the-middle or compromised user accounts are not permitted.
• New vulnerabilities with severity of critical or exceptional are out of scope for the first 7 days.
• New vulnerabilities with severity of high are out of scope for the first 14 days.
• New vulnerabilities with severity of medium or lower are out of scope for the first 30 days.
• Submissions without proof of concept will not be considered.
• Multiple submissions based on the same piece of code, misconfiguration or dependency will be treated as a single submission. The deciding factor will be whether the problem can be fixed in one go.
• We do not take responsibility for outgoing links.
• All domains not listed as in scope above.
• For the authenticated endpoint, we only accept cache poisoning submissions that are valid with changing authentication headers.
• IDOR attacks for the Hey chat, which include a UUID, are out of scope and the risk is accepted. However, we would greatly appreciate submissions to enumerate or guess these UUIDs.

Application

• Credential disclosure without proven business impact
• Pre-Auth Account takeover/OAuth squatting
• CORS misconfiguration on non-sensitive endpoints
• Cross-site Request Forgery with no or low impact
• Reverse tabnabbing
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Please only email bomb yourself
• Homograph attacks
• XMLRPC enabled
• Not stripping metadata of files

This program follows Intigriti's triage standards

Do you have credentials to login into the applications?

No, we do not provide credentials for testing, but you are welcome to create your own account.

Can I give feedback to your program?

Yes certainly and we would appreciate use this feedback form for it.

Dos your program make use of retests?

Sometimes we will ask you to retest and offer up to a €50 bonus for doing so. If this offer is declined or expires and the submission is closed, we will not accept a submission with the same cause from the same researcher.