BloomUp grew as a response to COVID-19 as a platform that connects people in need of mental support with a mental health professional. By answering a few short questions, we match 3 of our professionals with the client and let them pick one. They can either set up a call immediately after if the professional is available or plan in a consult. The first 30 mins are free as an intake consult. When the client and professional have a click, they can schedule a follow-up and paying consult.


Responsible disclosure

Rules of engagement
Not applicable
max. 5 requests/sec
Not applicable

Our promise to you

  • ❤️ You will help respond to the COVID-19 crisis in a meaningful way.
  • We will respond to report in ultimately 3 days, probably within a day!
  • Exceptional and critical issues will get honourable 🎖 mentions on our security page (constructed in Q1-Q2 2021)
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below

Your promise to us

  • Always use your address for registering!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo)
  • Please do not use automatic scanners -be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's 😉)
  • We would appreciate your take on how to remediate the bug or security issue you have found.

No Bounty

Priority: 4️⃣ - Language: 🇬🇧

Our self-hosted analytics server that gathers analytics about the app usage. For this we use an instance of Matomo.
Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at existing Matomo bugs:

No Bounty

Priority: 3️⃣ - Language: 🇬🇧

Our internal self-hosted chat and community. This is used for employee conversations and also as a communication tool towards and between our professionals. MatterMost is used. Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at exisiting MatterMost bugs:

No Bounty

Priority: 2️⃣ - Language: 🇬🇧

This server runs our Jitsi instance we use so clients can go into an online video consultation with our professionals.
The best way to test is by using, register as user and professional and set up a consult with yourself.
Here we expect a focus on the security hardening of the server set-up.

No submissions are allowed that point at an existing Jitsi bug:

No Bounty

Priority: 1️⃣ - Language: 🇳🇱

Staging version of our main app.
This app has 2 sides: the client and that of the mental health professionals.

A client can go through an onboarding flow which will ask the a few questions that helps us identify the best professional for them.
At the end of the questions they will get a proposal of 3 mental health professionals. They can either choose to book a consult in the next 7 days or (if the psy is online), immediately go into a consult. At the end of this flow, an account is created that they can use later on to track follow-up consults.

The professional uses this app to plan and follow-up their consults with BloomUp clients.

The app is available in Dutch only and only for Belgian professionals.
This is the most important part to test.
The back end server and API lives on (which is also in scope)

Please don’t forget to use your address.

In scope

Important note
Please make sure you are not creating "professional" accounts on our production environment (, as our clients might end up being matched to these bogus profiles. This will deminish the service we provide to our customers and will impact our business, as showing the weird stuff you guys insert (no offence, keep up the good work ;) ) comes across as unprofessional.

Security and privacy is important to both our customers and mental health professionals. That is why we appeal to all of you to help us out in our quest to become the mosts secure and privacy-friendly platform in Belgium for mental health professionals.

We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed!
We are specifically looking for

  • Theft of sensitive data
  • Unauthorized modification or deletion of sensitive data
  • Access to each others online consults
  • Engage with clients or professionals with a spoofed identity
  • Horizontal / vertical privilege escalation
  • Give yourself administrator priviledges
  • SQLi
  • ...

See FAQ for how to access the application

Please do not use the following methods:

  • Bruteforce -> Password / Username bruteforce

Important note
In case of an SQLi only execute sleep() or printout the current version of the database

Out of scope

Out of scope actions & Domains

All other domains outside of the ones listed above are out of scope.


  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, ..)
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Subdomain takeover without taken over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file


  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment


  • Access to all customer personal data
  • RCE (Remote Code Execution)


  • SQL injection


  • Stored XSS without user interaction
  • Privilege escalation
  • Authentication bypass on critical infrastructure


  • XSS
  • CSRF with a significant impact


  • XSS that requires lots of user interaction ( > 3 steps)
  • CSRF with a very limited impact

Where can we get credentials for the app?

You can self-register on the application ( but please don’t forget to use your address.
For postcodes: Entered postcodes are checked against a list of existing postcodes in Belgium (4 digits, ranging from 1000 - 9992), so only existing postcodes are accepted.
An example address is: Weststraat 129, 8370.

If you choose to register as a professional, please let Intigriti support know, so they can ask us to verify your account.

The application is only available in Dutch.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

last contributors
Overall stats
submissions received
average payout
accepted submissions
total payouts
Last 90 day response times
avg. time first response
< 16 hours
avg. time to decide
< 6 days
avg. time to triage
< 2 days
closed a submission
closed a submission
created a submission
closed a submission
created a submission
created a submission
created a submission
created a submission
closed a submission
closed a submission