Description

EURid is the registry manager of the .eu, .ею (Cyrillic script) and .ευ (Greek script) country code top-level domains (ccTLD) upon the appointment of the European Commission since 2003. We take the security of our systems and services seriously to ensure the protection and privacy of our users and customers and the stability and availability of our services. Nevertheless, if you stumble upon an issue you consider a vulnerability, let us know as soon as possible following these guidelines.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 50
€ 250
€ 1,000
€ 2,500
€ 5,000
€ 50 - € 5,000
Domains

*.das.eu

Tier 2
URL

*.dns.eu

Tier 2
URL

*.eurid.eu

Tier 2
URL

*.nic.eu

Tier 2
URL

*.registry.eu

Tier 2
URL

*.whois.eu

Tier 2
URL
In scope

Our authoritative name servers as displayed in the NS resource record set of the .eu, .ευ or .ею top level domain names:

dig ns eu. @a.root-server.net
dig ns ею. @a.root-server.net
dig ns ευ. @a.root-server.net

as well as the authoritative name servers for the domain names mentioned in the domains section:

dig ns eurid.eu. @nl.dns.eu
dig ns registry.eu. @nl.dns.eu
etc...

Systems and services in our autonomous number:

  • ASN35733

Systems and services under the domain name section unless referred to in the out of scope section.

Out of scope

Any service or website linked to domain names in the .eu name space, which are not held by EURid as shown in the WHOIS. See https://whois.eurid.eu/ to determine the registrant of a domain name.

Any service or website under the domain names in scope but that are not hosted in the autonomous numbers referred in the "In scope" section. An exception on this rule are websites under the domain name in scope and protected by Cloudflare.

The following authoritative name servers are explicitely out of scope.

For the .eu, .ευ and .ею Top Level Domains:

  • w.dns.eu
  • x.dns.eu
  • y.dns.eu

For the domains referred in the domains section:

  • nsx.eurid.eu
  • nsp.netnod.se

Application

  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, ..)
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing credentials without proven impact
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Subdomain takeover without taken over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept

The services that are used by our registrar community, more precisely the registrar extranet (under https://www.registry.eu) and the EPP server (under epp.registry.eu) are out of scope.

Researchers should refrain from becoming registrars to access the above systems. These registration services will be part of a separate program at the end of 2020.

Rules of engagement

Guidelines

  • Provide detailed but to-the point reproduction steps;
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated;
  • Please do NOT discuss findings before they are fixed (including PoCs on YouTube and Vimeo or any other sharing platform);
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Have no criminal or malicious intent;
  • Perform research only within the scope.
  • Do not place malware or any other software on our systems;
  • Do not alter the configuration of our systems;
  • Do not copy, delete or modify data on our systems and
  • Do not share access to vulnerable systems with others or repeatedly gain access to vulnerable systems;
  • Remove sensitive material from your systems once the issue has been resolved.

Safe harbour for researchers

EURid considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. EURid will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, EURid will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Examples of exceptional vulnerabilities:

  • Remote Code Execution
  • Unauthorized access to the Registrar extranet
  • Bypassing the access control mechanisms of the EPP
  • Access to internal systems

Examples of critical vulnerabilities:

  • Access to personal, non-publicly available data like logins, passwords and email addresses
  • SQL injection

Examples of high severity vulnerabilities:

  • Stored XSS without user interaction
  • Privilege escalation
  • Bypassing access control mechanisms like rate limiters, IP blocks and CAPTCHAs

Examples of medium severity vulnerabilities:

  • XSS that requires user interaction
  • Exception triggers
  • Stack traces
  • Scripted and automated exploitation and data extraction (not meta-data). The data should normally be publicly available and require human interaction.

Examples of low severity vulnerabilities:

  • CSRF
  • Open redirects which allows extraction of sensitive data or introducing XSS.
  • Scripted and/or automated exploitation and technical meta-data extraction (like internal IP addresses, ports, etc...)

It will be the responsibility of Intigriti to pay out the bounties in a timely and legal way. Payouts will only take place after our agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

FAQ

Are there test accounts available, where applicable?
Currently this is not possible.

What is sensitive data?
We consider any type of data that is not publicly accessible or available as sensitive. This includes but is not limited to personal data.

Why is my IP address blocked?
We encourage security researchers to look into our infrastructure and services in the search for vulnerabilities, but we will take protective measures when this has a negative impact on our services. Running an aggressive security scanner or exploitation tool and bombarding us with requests will trigger non-negotianable blocks on our systems.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
+3 weeks
avg. time to triage
< 4 days
Activity
1/22
logo
sanmarg_paranjpe
created a submission
1/18
EURid
closed a submission
1/13
EURid
closed a submission
1/13
EURid
accepted a submission
1/12
EURid
closed a submission
1/11
EURid
closed a submission
1/9
logo
bat12
created a submission
12/28
EURid
closed a submission
12/28
EURid
closed a submission
12/27
logo
ducksecops
created a submission