Description

Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
50
150
500
1,000
2,500
Tier 2
€50 - €2,500
Tier 3
0
75
250
500
1,250
Tier 3
Up to €1,250
Rules of engagement
Required
Not applicable
Not applicable
Not applicable

Guidelines

  • Remember: quality over quantity!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Please do NOT discuss bugs before they are fixed

Please use the @intigriti.me email for your tests so we can keep our databases clean.

Domains

*.weareone.world

Tier 2
Wildcard

Currently as T2, will be evaluated on individual basis.

Vulnerabilities found on either winter/brasil/belgium .tomorrowland.com will be considered duplicate.

Vulnerabilities found on either winter/brasil/belgium .tomorrowland.com will be considered duplicate.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact and the targetted domain, a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution
  • Full database read/write access

Critical

  • Full database read access
  • Significant access bypass
  • IDOR on ticket info

High

  • Horizontal privillege escalation
  • Access to (a lot of) PII data

Medium

  • XSS
  • CSRF on critical actions
  • Information disclosure
    • Line-up
    • Information about tickets / price packages before public announcement
    • Stack traces with sensitive info
    • Full suplier data

Low

  • Open redirects
  • CSRF

Cash

Severity Cash
Low € 50
Medium € 150
High € 500
Critical € 1.000
Exceptional € 2.500
FAQ

Where can I get a test account?

You can register yourself on Tomorrowland by using an intigriti email. More info can be found on: https://go.intigriti.com/intigritime

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.