Guidelines

• Provide detailed but to-the point reproduction steps;
• Include a clear attack scenario, a step by step guide in the PoC is highly appreciated;
• Please do NOT discuss findings before they are fixed (including PoCs on YouTube and Vimeo or any other sharing platform);
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Have no criminal or malicious intent;
• Perform research only within the scope.
• Do not place malware or any other software on our systems;
• Do not alter the configuration of our systems;
• Do not copy, delete or modify data on our systems and
• Do not share access to vulnerable systems with others or repeatedly gain access to vulnerable systems;
• Remove sensitive material from your systems once the issue has been resolved.

Our authoritative name servers as displayed in the NS resource record set of the .eu, .ευ or .ею top level domain names:

dig ns eu. @a.root-server.net
dig ns ею. @a.root-server.net
dig ns ευ. @a.root-server.net

as well as the authoritative name servers for the domain names mentioned in the domains section:

dig ns eurid.eu. @be.dns.eu
dig ns registry.eu. @be.dns.eu
etc...

Systems and services in our autonomous number:

• ASN35733

Systems and services under the domain name section unless referred to in the out of scope section.

Some examples of websites in scope:

• https://www.eurid.eu ; the corporate website
• https://whois.eurid.eu ; the webbased WHOIS interface
• https://trust.eurid.eu ; a landingpage for a marketing action
• https://www.yadifa.eu ; the homepage for YADIFA, EURid's authoritative name server implementation

Registrant Extranet:

• https://my.eurid.eu ; the Registrant or Domain Name Holder Extranet - this requires a .eu domain name to access
• https://mrz.eurid.eu ; a webapp used to scan and process the Machine Readable Zone of IDs for KYC purposes and part of "My .eu".

This portal allows .eu domain name holders or registrants to manage their domain name at the registry level. More details on the functionality can be found here.

We have extensive identification and verification methods implemented in the portal as described here and which are used to enable domain name holders from the European Union and the European Economic Area to confirm their registration data in an automated manner using one of the available methods.

The entire portal and all its functionality is in scope of this programme.

Software developed by EURid:

• YADIFA, the authoritative name server as downloaded from https://www.yadifa.eu/download (last version only).

Any service or website linked to domain names in the .eu name space, which are not held by EURid as shown in the WHOIS. See https://whois.eurid.eu/ to determine the registrant of a domain name.

Any service or website under the domain names in scope but that are not hosted in the autonomous numbers referred in the "In scope" section. An exception on this rule are websites under the domain name in scope and protected by Cloudflare.

The following authoritative name servers are explicitely out of scope.

For the .eu, .ευ and .ею Top Level Domains:

• w.dns.eu
• x.dns.eu
• y.dns.eu

For the domains referred in the domains section:

• nsx.eurid.eu
• nsp.netnod.se

Application

• API key disclosure without proven business impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

The services that are used by our registrar community, more precisely the registrar extranet (under https://www.registry.eu) and the EPP server (under epp.registry.eu) are out of scope.

Researchers should refrain from becoming registrars to access the above systems.

EURid follows Intigriti's standard view on severity assessment and impact analysis, especially when related to software developed and maintained by EURid, including but not limited to the YADIFA authoritative name server. More information can be found on: https://kb.intigriti.com/en/articles/5041991-intigriti-s-contextual-cvss-standard.

It will be the responsibility of Intigriti to pay out the bounties in a timely and legal way. Payouts will only take place after our agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Are there test domain names available to test the registrant extranet portal?
No, there are no test domain names available as this is technically not possible. Researchers are invited to register their own .eu domain names (find a registrar). We will compensate domain names that have been registered and result in accepted findings of "high" and higher. Researchers are requested to add proof of purchase of the used domain names with their report.

Are there test accounts available, where applicable?
Currently this is not possible.

What is sensitive data?
We consider any type of data that is not publicly accessible or available as sensitive. This includes but is not limited to personal data.

Why is my IP address blocked?
We encourage security researchers to look into our infrastructure and services in the search for vulnerabilities, but we will take protective measures when this has a negative impact on our services. Running an aggressive security scanner or exploitation tool and bombarding us with requests will trigger non-negotianable blocks on our systems.