R+V Versicherung/R+V Versicherung Responsible Disclosure/Detail
Detail Leaderboard
Description

R+V is the insurer of the Volksbanken Raiffeisenbanken financial group and, together with its cooperative partners, offers the full range of financial services. We strive to deliver exceptional service to our customers in the insurance market. Our motto "you are not alone" reflects our commitment to providing personalized support not only to our customers but also to our colleagues within the organization with the same dedication and passion. At R+V, we recognize the invaluable contributions of the security research community and encourage researchers to responsibly disclose any vulnerabilities they may discover. By working together with researchers, we aim to enhance the security of our services and protect our customers. We are committed to creating a collaborative environment where responsible disclosure is welcomed and rewarded.

Bounties

This is a responsible disclosure program without bounties.

We deeply appreciate your contribution to securing our systems. As a token of our gratitude, if a vulnerability also falls within the scope of one of our private programs, we will be happy to invite you to our private bug bounty program and award your effort.

Rules of engagement
Required
Not applicable
max. 20 requests /sec
X-Intigriti-VDP: <username/alias>

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
Domains
tier
All
type
All
www.ruv.de
No bounty
URL

ruv.de is our main site for offering various insurance options for private and business customers. Customers can also login to their accounts and report insurance incidents on the site.

*.ruv.de

Out of scope
Wildcard

Before initiating any testing or submitting a report, please ensure that asset in question is genuinely owned by R+V. Any subdomain of ruv.de is out of scope. Please DO NOT test against subdomains other than R+V's main domain www.ruv.de

In scope

Our Commitments
When working with us, according to this policy, you can expect us to:

  • Respond to your report promptly, and work with you to understand and validate your report;
  • Strive to keep you informed about the progress of a vulnerability as it is processed;
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
  • Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Do not exploit the vulnerability or problem, for example by downloading, modifying or deleting data or uploading code;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope

Generally, we welcome all submissions of vulnerabilities in our systems. The following vulnerabilities however do not fall within the scope of the vulnerability disclosure program:

General

  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Scanning of subdomains (xxx.ruv.de)
  • Do not test any 3rd-party domains and assets related to any of R+V Versicherung's assets in scope

Application

  • Forms with missing CSRF tokens (exception: criticality exceeds Common Vulnerability Scoring System (CVSS) level 5).
  • Missing security headers that do not directly lead to an exploitable vulnerability.
  • The use of a library known to be vulnerable or publicly known to be broken (without active evidence of exploitability).
  • Reports from automated tools or scans without explanatory documentation.
  • Use of vulnerable and “weak” cipher suites / ciphers.
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing security headers that do not directly lead to an exploitable vulnerability.
  • Presence of autocomplete attribute on web forms

Mobile

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
Severity assessment

This program follows Intigriti's triage standards

FAQ

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me address.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
 phongvan1337
leaderboard
logo
 phongvan1337
Overall stats
submissions received
2
average payout
N/A
accepted submissions
N/A
total payouts
N/A
Last 90 day response times
avg. time first response
< 16 hours
avg. time to decide
< 24 hours
avg. time to triage
< 16 hours
Activity
4/30
R+V Versicherung
changed the out of scope
4/30
R+V Versicherung
changed the domains
4/30
R+V Versicherung
changed the domains
4/30
R+V Versicherung
changed the out of scope
4/30
R+V Versicherung
changed the domains
4/29
R+V Versicherung
changed the rules of engagement
4/29
R+V Versicherung
changed the rules of engagement
4/29
R+V Versicherung updated the confidentiality level to public
4/29
R+V Versicherung updated the confidentiality level to registered
4/29
R+V Versicherung updated the confidentiality level to application