RIPE NCC - Bug Bounty Program

Description

We're an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical coordination in our service region. Our most prominent activity is to act as the Regional Internet Registry (RIR) providing global Internet resources and related services (IPv4, IPv6 and AS Number resources) to members in our service region.

Bounties

Tier 1

€

250

700

1,100

2,000

Tier 1

Up to €2,000

Tier 2

€

100

200

500

Tier 2

Up to €500

Rules of engagement

@intigriti.me

Required

User agent

Not applicable

Automated tooling

max. 2 requests /sec

Request header

X-Intigriti-User: {{Username}}

By participating in this program, you agree to:

Respect the Community Code of Conduct
Respect the Intigriti Terms and Conditions
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times
We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity	Time to validate
Exceptional	2 Working days
Critical	2 Working days
High	5 Working days
Medium	15 Working days
Low	15 Working days

This remains at the discretion of the RIPE NCC to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of RIPE NCC to award.

Safe harbour for researchers is applied

Domains

access.ripe.net

Tier 1

URL

This is the authentication service for our membership and community, mostly used for all of our membership (e.g. LIR) applications.
We strongly suggest you to adjust your scanners to the limit where we mentioned in the req/sec.

Please adhere to the out of scope rules below.

https://github.com/RIPE-NCC/rpki-commons

Tier 1

Other

This library contains an implementation of an X.509 v3 certificate extension which binds a list of IP address blocks or prefixes to the subject of a certificate (IP Address Delegation Extension).

https://github.com/RIPE-NCC/rpki-core

Other

This repository contains the source code for the RIPE NCC certification. We strive to publish as many components as possible with reasonable effort. Some elements or information are not included, either because of our threat model or because we can not publish them.

Severity assessment

This program follows Intigriti's contextual CVSS standard

Though we are following the Intigriti's CVSS standart, business impacts may be different than the actual score.
Final decision will be made after our assesment and set accordingly.

FAQ

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

I've found a bug which considered as out-of-scope but I can chain it to exploit in-scope targets, what should I do?

If you have doubts about the bug you've found, you can contact Intigriti Support, so we can discuss together and let you know if you should submit the bug via here or not.

Who can submit bugs to our program?

RIPE NCC Bug Bounty Programme can not be used by RIPE NCC Employees or any external consultants working for RIPE NCC.

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.