Guidelines

• Provide detailed but to-the point reproduction steps;
• Include a clear attack scenario, a step by step guide in the PoC is highly appreciated;
• Please do NOT discuss findings before they are fixed (including PoCs on YouTube and Vimeo or any other sharing platform);
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Have no criminal or malicious intent;
• Perform research only within the scope.
• Do not place malware or any other software on our systems;
• Do not alter the configuration of our systems;
• Do not copy, delete or modify data on our systems and
• Do not share access to vulnerable systems with others or repeatedly gain access to vulnerable systems;
• Remove sensitive material from your systems once the issue has been resolved.

Our authoritative name servers as displayed in the NS resource record set of the .eu, .ευ or .ею top level domain names:

dig ns eu. @a.root-server.net
dig ns ею. @a.root-server.net
dig ns ευ. @a.root-server.net

as well as the authoritative name servers for the domain names mentioned in the domains section:

dig ns eurid.eu. @be.dns.eu
dig ns registry.eu. @be.dns.eu
etc...

Systems and services in our autonomous number:

• ASN35733

Systems and services under the domain name section unless referred to in the out of scope section.

Some examples of websites in scope:

• https://www.eurid.eu ; the corporate website
• https://whois.eurid.eu ; the webbased WHOIS interface
• https://trust.eurid.eu ; a landingpage for a marketing action
• https://www.yadifa.eu ; the homepage for YADIFA, EURid's authoritative name server implementation

Registrant Extranet:

• https://my.eurid.eu ; the Registrant or Domain Name Holder Extranet - this requires a .eu domain name to access
• https://mrz.eurid.eu ; a webapp used to scan and process the Machine Readable Zone of IDs for KYC purposes and part of "My .eu".

This portal allows .eu domain name holders or registrants to manage their domain name at the registry level. More details on the functionality can be found here.

We have extensive identification and verification methods implemented in the portal as described here and which are used to enable domain name holders from the European Union and the European Economic Area to confirm their registration data in an automated manner using one of the available methods.

The entire portal and all its functionality is in scope of this programme.

Software developed by EURid:

• YADIFA, the authoritative name server as downloaded from https://www.yadifa.eu/download (last version only).

EURid follows Intigriti's standard view on severity assessment and impact analysis, especially when related to software developed and maintained by EURid, including but not limited to the YADIFA authoritative name server. More information can be found on: https://kb.intigriti.com/en/articles/5041991-intigriti-s-contextual-cvss-standard.

It will be the responsibility of Intigriti to pay out the bounties in a timely and legal way. Payouts will only take place after our agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

Are there test domain names available to test the registrant extranet portal?
No, there are no test domain names available as this is technically not possible. Researchers are invited to register their own .eu domain names (find a registrar). We will compensate domain names that have been registered and result in accepted findings of "high" and higher. Researchers are requested to add proof of purchase of the used domain names with their report.

Are there test accounts available, where applicable?
Currently this is not possible.

What is sensitive data?
We consider any type of data that is not publicly accessible or available as sensitive. This includes but is not limited to personal data.

Why is my IP address blocked?
We encourage security researchers to look into our infrastructure and services in the search for vulnerabilities, but we will take protective measures when this has a negative impact on our services. Running an aggressive security scanner or exploitation tool and bombarding us with requests will trigger non-negotianable blocks on our systems.