Important!

• Always operate within legal boundaries when identifying potential security issues.
• Do not demonstrate security vulnerabilities by performing DDoS attacks, brute force password guessing, social engineering activities, infecting systems with malware, scanning our systems, etc. Such actions will be considered and dealt with as targeted attacks, because they can cause harm to both Telenet and its customers. In such cases, Telenet cannot guarantee that you will not be prosecuted, since there is a risk that the authorities will take the necessary measures in response to such attacks.
• Only notify Telenet of your findings, and only via this procedure.
• Do not publish details about the security issue through other channels. Making the problem known through other channels or the media, even before or after notifying Telenet via this procedure and even when not all details are provided, will be considered irresponsible behaviour and can still lead to the filing of criminal charges.
• Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
• Do not change or delete any data or system settings.
• Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.

Our promise

• We will respond to your message as soon as possible, if you have provided contact information.
• If we require additional information, we may choose to contact you, if possible.
• We will do everything possible to resolve any shortcomings as quickly as possible, and we will keep you posted.
• Acting in accordance with these guidelines ensures that Telenet will not file a criminal complaint against you.

Suspected vulnerabilities in our products and services, including modem, Digicorder/Digibox,
hotspot/homespot, websites, web-based applications and mobile apps and TV applications that can be abused
and can lead to:

• Theft of sensitive data
• Unauthorized modification or deletion of sensitive data
• Interference with or prevention of access to our services
• Disruption of the proper operation of our network, products or services

Out of scope domains:

• *.access.telenet.be
• *.inbel.telenet.be
• *.static.telenet.be
• *.kabel.telenet.be
• *.web.cloud.telenet.be
• home.base.be/*
• users.telenet.be/*
• business.telenet.be/nl/syba (A-desk website)
• mkt.telenet.be
• sim.telenet.be
• comm.base.be

General

• For leaked customer credentials or customer abuse, please contact our abuse team via abuse@telenet.be
• Services and systems that are hosted, created, managed or owned by Telenet customers.
• Duplicate reports of security issues, including security issues that have already been identified internally or only reproducable on non-PROD environment e.g. UAT
• Automated scanning attacks
• Social engineering (e.g. phishing, vishing) or physical attacks such as office access (e.g., open doors, tailgating)
• Distributed Denial of Service attacks and Denial of Service attacks
• Vulnerabilities that are a result of malware
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
• Issues determined to be low impact may be excluded
• Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host.
• Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
• Brute Force Attacks
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.

Application

• Pre-auth account takeover / oauth squatting
• Self-XSS and issues exploitable only through Self-XSS.
• Descriptive error messages (e.g. stack traces, application or server errors).
• Content Spoofing
• Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
• .htaccess downloadable file without a real security misconfiguration that can have security impact
• Login page or one of our websites over HTTP
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
• Password not enforced on user accounts
• Clickjacking or any issue exploitable through clickjacking
• Username / email enumeration
• CORS issues without a working PoC
• Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
• Vulnerabilities in obsolete (EOLed) versions of our products
• Missing additional security controls, such as HSTS or CSP headers.
• Cross-site Request Forgery with no or low impact (Login/Logout CSRF)
• Missing cookie flags
• Brute-force / Rate-limiting / Velocity throttling.
• Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
• Presence of autocomplete attribute on web forms.
• Web content in our robots.txt file.
• Banner Exposure / Version Disclosure
• DKIM, DMARC, SPF issues
• Flash findings that require Flash to be enabled
• Internal IP address disclosure
• Weak Captcha / Captcha Bypass.
• Open redirect
• WPS brute force attacks / XMLRPC enabled
• Disclosing API keys without proven impact
• Not stripping metadata of images
• E-mail bombing
• Cross-domain referer leakage
• Same-site scripting
• Subdomain takeover without taken over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Sessions not being invalidated (logout, enabling 2FA, ..)
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• Disclosed and/or misconfigured Google API key (including maps)
• Host header injection without proven business impact

Mobile applications

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation is out of scope
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions (edited)

Reward will be given based on the payment table that you can find at the top of the program. The level of the criticality will be based on technical parameters (CVSS) but exceptions on this are possible if a vulnerability on a system and/or application is not critical to our business.

No rewards will be given to out of scope reports or to any vulnerabilities introduced by our customers (e.g. if a customer introduces a vulnerability in his personal webspace, we will not fix nor offer a reward for this report).

Can we receive test accounts?

No, we currently don’t share credentials of test accounts.

How long does it take to fix a vulnerability?

Our goal is to implement a fix as soon as possible. Depending on the criticality and the affected system it can take up to multiple months to implement a fix.

Why have you lowered the criticality of my reported issue?

If the reported issue has been found on a non-critical system or non-production environment then we can downgrade the criticality.
In this program we try to focus on critical and production environments.

Do you give refunds for Telenet services I have bought for testing purposes.

No, we will not refund expenses for services you have bought for testing purposes.
We do not recommend to buy Telenet services for testing purposes.
Sales are final.