We will:

• Respect the safe harbor clause that you can find below
• Collaborate with you and reply to your submissions as fast as possible

By participating in this program, you agree to:

• Respect the Community Code of Conduct and the Intigriti Terms and Conditions
• Respect the scope of the program
• Not to discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube or other platforms)
• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario. How will this affect us exactly?
• Not to use automatic scanners. Be creative and do it yourself! We cannot accept any submissions found by using automatic scanners and which are not proven to cause a security risk
• Not to obtain, modify, or destroy any information when an identified vulnerability allows you to do so other than to proof the vulnerability
• Not to perform denial of service or load tests

Rewards

Although this is a VDP without rewards, we may provide a small bonus in certain circumstances at our discretion:

• a report is obviously based on a high effort to identify the vulnerability
• a vulnerability is very critical in terms of severity and/or impact to Bühler or our customers
• any other aspect where we think you deserve a reward

We also use the pool of reporters in this VDP as a source for people we potentially invite into our private bug bounty program.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Welcome to Bühler's Vulnerability Disclosure Program! As a company that values security and trust of our customers and business partners, we recognize the importance of preserving the confidentiality, integrity, and availability of sensitive information, and systems. We invite you to contribute to this effort by participating in our VDP.

Our priorities

We are interested in vulnerabilities that effectively and demonstrably impact the security and privacy of our systems or our customers. Examples of what we are specifically looking for include:

• Exposure of personal or otherwise sensitive data
• Privilege escalation / authentication bypass
• SQL injection, remote code execution, cross-site scripting, and the like

We plan to update our scope regularly so keep an eye out or subscribe to our program to receive updates when we do!

Feedback

Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link. Please note this form will be checked periodically and must not be used for submission or support queries.

We are interested in real vulnerabilities that have demonstrable impact, not general missing best practices that have no impact on security.

Out-of-scope domains

Any asset/domain not specifically listed in the In Scope section above. For example (third party) domains you see connections to when visiting web applications which serve content or similar.

General

• Any submission without a proof-of-concept showing real impact on confidentiality, integrity or availability
• Any fundamentally existing vulnerability in third party services (such as Microsoft Azure) where no fix is available. Accepted are vulnerabilities which are in our responsibility, for example caused by misconfiguration
• Some websites (partially) share the same codebase. They can contain common issues so if a specific issue has already been found in another website it will not be accepted e.g., for development, integration and production environments
• In case that a reported vulnerability was already known from our own tests or a prior submission, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• Missing or insufficient protection against denial of service or brute force attacks
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation
• Disclosure of non-sensitive information, e.g. in messages/files/directory listings

Application

• API key disclosure without proven business impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• Verbose error messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, changing password, etc.)
• Missing session fixation - the same account can login from different source systems
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact
• content (e.g. scripts) loaded from third party domains

Infrastructure

• Open ports
• TLS/SSL certificate related issue such as weak ciphers or outdated protocols
• Missing OCSP stapling

This program follows Intigriti's contextual CVSS standard. We reserve the right to change the severity rating based on our internal assessments of criticality taking into account the criticality of the system or the involved data. We will explain severity rating changes.

Where can I obtain credentials for systems requiring authentication?

At the moment we do not provide credentials for the assets in our VDP scope. You may just focus on black-box testing. However, for systems/services which have a self-service user creation functionality, you may sign-up using your @intigriti.me address.

Why do you exclude so many types of vulnerabilities from the scope?

We already do a lot of automated scanning on all our known (sub)domains. You can assume that most of the "issues" traditional web application security scanners detect are already known to us.