By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent with any other parties (including PoC's on YouTube and Vimeo)

EBSI's rules of Engagement
To help us distinguish between good-faith hacking and malicious attacks, you must follow these rules:

• You are authorized to perform testing in compliance with the scope defined.
• Promptly report discovered vulnerabilities.
• Refrain from violating privacy, disrupting systems, destroying data, or harming users experience.
• Keep vulnerability details confidential until authorized for release by EBSI's security team.
• Test only in-scope systems and respect out-of-scope systems.
• Disclosure of vulnerabilities to EBSI must be unconditional. Do not engage in extortion, threats, or other tactics to elicit a response under duress.

To have a better understanding about the whole European Blockchain Services Infrastructure, we recommend looking at the following:

• EBSI home page
• EBSI explained
• What is EBSI?
• EBSI in videos

It will give you a better overview on the purpose and use cases of the EBSI project. For questions related to the architecture and specifications you can find most of the answers by navigating through the webpage or the EBSI developers hub.

Security is essential to EBSI's mission. We appreciate the contributions of ethical hackers who help us uphold high privacy and security standards for our users and technology. This scope outlines our definition of good faith regarding the discovery and reporting of vulnerabilities, and clarifies what you can expect from us in return.

The initial priority for most findings will be the current API's endpoints that are offered to externals researchers. However, vulnerability priority, scope and reward may be modified based on likelihood or impact at EBSI's sole discretion. We don't expect cases of downgraded scope, but rather increments in the amount of API's included in scope.

Expectations
As part of the policy, we commit to:

• Cooperate with you in understanding and validating your report, ensuring a prompt initial response to your submission.
• We will handle your report with strict confidentiality.
• Remediate validated vulnerabilities in a timely manner.
• Where possible, we will inform you when the vulnerability has been remedied.
• We will process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission.
• Acknowledge and credit your contribution to improving our security, if you are the first to report a unique vulnerability that leads to a code or configuration change.

Toolkit
Are you finding it challenging to understand the European Blockchain Service Infrastructure (EBSI) Core Services, or seeking a tool to streamline your initial interactions with the product?

We recommend visiting our demonstrator page. On this page, you'll have access to the latest version of the Test-Script tool and detailed guidelines on its usage.

The Test-Script tool is a user-friendly Command Line Interface, purpose-built to connect and test certain EBSI Core Services. With this tool and the accompanying guidelines, you'll gain a practical understanding of our product, paving the way for more successful and beneficial interactions with the EBSI Core Services.

The following are non-exhaustively out-of scope:

• *.europa.eu
• Any issues in the current available wallets. These are developed and maintained by a third-party.
• Any vulnerability that is not related to an in-scope asset.
• Older versions of the API's not specifically detailed in the domains.
• API's not included and detailed in the domains like Notifications API, Proxy Data Hub API, Trusted Ledgers & Smart Contracts Registry API, Storage API & Users Onboarding API.
• Attacks that may degrade, disrupt, or negatively impact services or user experience
• Attacks that aim to destroy or corrupt data not belonging to you.
• Physical, social engineering, phishing, or electronic attacks against EBSI personnel, offices, wireless networks, or property.
• Reports of server error messages without proof of an exploit.

Safe Harbor
EBSI will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this bug bounty. As long as you comply with this scope:

• We consider your security research to be "authorised"
• We waive any restrictions that would prohibit your participation in this exercise, but only for the limited purpose of your security research under the scope defined.

EBSI systems and services may be interconnected with third-party systems and services. If you submit a report through our bug bounty program that affects a third party service, we may limit what we share with the affected third party. Please understand that, while we can authorise your research on EBSI’s systems and services, we cannot authorise your efforts on third-party products or guarantee they won’t pursue legal action against you.

That said, if legal action is initiated by a third party against you because of your participation in this bug bounty program, and you have complied with our bug bounty scope, we will take steps to make it known that your actions were conducted in compliance with this exercise. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all applicable EU laws and Regulations.

This program follows Intigriti's contextual CVSS standard

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.