Description

Every day, billions of people come into contact with Bühler technologies to meet their basic needs for food, mobility, and more. Our technologies are in your smartphone, solar panels, diapers, lipstick, banknotes, the food you eat, and the vehicles you drive. We strive to innovate for a better world, with a special focus on healthy, safe, and sustainable solutions. Learn more about Bühler at www.buhlergroup.com.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
Not applicable
max. 5 requests/sec
Not applicable

We will:

  • Respect the safe harbor clause that you can find below
  • Collaborate with you and reply to your submissions as fast as possible

By participating in this program, you agree to:

  • Respect the Community Code of Conduct and the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not to discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube or other platforms)
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Not to use automatic scanners. Be creative and do it yourself! We cannot accept any submissions found by using automatic scanners and which are not proven to cause a security risk
  • Not to obtain, modify, or destroy any information when an identified vulnerability allows you to do so other than to proof the vulnerability
  • Not to perform denial of service or load tests

Rewards

Although this is a VDP without rewards, we may provide a small bonus in certain circumstances at our discretion:

  • a report is obviously based on a high effort to identify the vulnerability
  • a vulnerability is very critical in terms of severity and/or impact to Bühler or our customers
  • any other aspect where we think you deserve a reward

We also use the pool of reporters in this VDP as a source for people we potentially invite into our private bug bounty program.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Severity Time to validate
Exceptional 2 working days
Critical 5 working days
High 5 working days
Medium 15 working days
Low 20 working days
Domains

*.buhler-datascience.ch

No bounty
Wildcard
  • containing subdomains/assets specific to our data science team
  • For assets requiring authentication, please refer to the FAQ section

*.buhlercloud.com

No bounty
Wildcard
  • containing subdomains/assets related to a customer facing web application
  • For assets requiring authentication, please refer to the FAQ section

*.buhlergroup.ai

No bounty
Wildcard
  • containing subdomains/assets related to customer facing AI services
  • For assets requiring authentication, please refer to the FAQ section

*.buhlergroup.cn

No bounty
Wildcard
  • containing subdomains/assets located in our Chinese locations. Mainly IT systems related to internal purposes.
  • For assets requiring authentication, please refer to the FAQ section

*.buhlergroup.com

No bounty
Wildcard
  • Our main domain containing hundreds of subdomains/assets. Can be customer facing websites and services but also assets for internal purposes
  • For assets requiring authentication, please refer to the FAQ section

*.buhlergroup.io

No bounty
Wildcard
  • containing subdomains/assets related to customer facing digital services
  • For assets requiring authentication, please refer to the FAQ section

*.buhlertest.ch

No bounty
Wildcard
  • containing subdomains/assets of test systems
  • For assets requiring authentication, please refer to the FAQ section

194.9.120.0 - 194.9.123.255

No bounty
IP Range
  • This is our public IP range used for systems located in the DMZ. (Sub)domains listed above may point to IPs in this range but there are also other types of assets such as network devices.
  • For assets requiring authentication, please refer to the FAQ section

*.info.buhlergroup.com

Out of scope
Wildcard

*.learnhub.buhlergroup.com

Out of scope
Wildcard

*.virtualworld-portal.buhlergroup.com

Out of scope
Wildcard

*.virtualworld.buhlergroup.com

Out of scope
Wildcard

*.webinars.buhlergroup.com

Out of scope
Wildcard
URL
URL
URL
URL
URL
In scope

Welcome to Bühler's Vulnerability Disclosure Program! As a company that values security and trust of our customers and business partners, we recognize the importance of preserving the confidentiality, integrity, and availability of sensitive information, and systems. We invite you to contribute to this effort by participating in our VDP.

Our priorities

We are interested in vulnerabilities that effectively and demonstrably impact the security and privacy of our systems or our customers. Examples of what we are specifically looking for include:

  • Exposure of personal or otherwise sensitive data
  • Privilege escalation / authentication bypass
  • SQL injection, remote code execution, cross-site scripting, and the like

We plan to update our scope regularly so keep an eye out or subscribe to our program to receive updates when we do!

Feedback

Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here: Program feedback link. Please note this form will be checked periodically and must not be used for submission or support queries.

Out of scope

We are interested in real vulnerabilities that have demonstrable impact, not general missing best practices that have no impact on security.

Out-of-scope domains

Any asset/domain not specifically listed in the In Scope section above. For example (third party) domains you see connections to when visiting web applications which serve content or similar.

General

  • Any submission without a proof-of-concept showing real impact on confidentiality, integrity or availability
  • Any fundamentally existing vulnerability in third party services (such as Microsoft Azure) where no fix is available. Accepted are vulnerabilities which are in our responsibility, for example caused by misconfiguration
  • Some websites (partially) share the same codebase. They can contain common issues so if a specific issue has already been found in another website it will not be accepted e.g., for development, integration and production environments
  • In case that a reported vulnerability was already known from our own tests or a prior submission, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • Missing or insufficient protection against denial of service or brute force attacks including for example identifying orign IP addresses of assets
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation
  • Disclosure of non-sensitive information, e.g. in messages/files/directory listings

Application

  • API key disclosure without proven business impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose error messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, changing password, etc.)
  • Missing session fixation - the same account can login from different source systems
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact
  • content (e.g. scripts) loaded from third party domains

Infrastructure

  • Open ports
  • TLS/SSL certificate related issue such as weak ciphers or outdated protocols
  • Missing OCSP stapling
Severity assessment

This program follows Intigriti's contextual CVSS standard. We reserve the right to change the severity rating based on our internal assessments of criticality taking into account the criticality of the system or the involved data. We will explain severity rating changes.

FAQ

Where can I obtain credentials for systems requiring authentication?

At the moment we do not provide credentials for the assets in our VDP scope. You may just focus on black-box testing. However, for systems/services which have a self-service user creation functionality, you may sign-up using your @intigriti.me address.

Why do you exclude so many types of vulnerabilities from the scope?

We already do a lot of automated scanning on all our known (sub)domains. You can assume that most of the "issues" traditional web application security scanners detect are already known to us.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
N/A
average payout
N/A
accepted submissions
35
total payouts
N/A
Last 90 day response times
avg. time first response
< 3 days
avg. time to decide
< 6 days
avg. time to triage
< 3 days
Activity
11/5
Bühler Group
closed a submission
11/4
Bühler Group
closed a submission
11/4
Bühler Group
closed a submission
10/31
logo
meblionrie
created a submission
10/29
logo
boroxx
created a submission
10/29
Bühler Group
closed a submission
10/27
logo
boroxx
created a submission
10/24
Bühler Group
accepted a submission
10/23
Bühler Group
closed a submission
10/20
logo
xandsz
created a submission