Guidelines

• Remember: quality over quantity!
• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
• Please do NOT discuss bugs before they are fixed

Please use the @intigriti.me email for your tests so we can keep our databases clean.

We are looking for help in protecting and securing our online assets because we care about the privacy of our fans and their data. We also value fair access for our fans to our ticketing sales and want to prevent fraud and ticket scalping.

• Please report all vulnerabilities about our online assets, our scope is listed under the Domains section.
• The public programme includes listed public domain names and our public Android and iOS app.
• Additional private projects concerning our ticket sales and crew accreditation services will be added in a later phase.
• Reports regarding onsite payments and access solutions are accepted and will be evaluated on individual basis

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Important Notice

Following an increase on submissions (and possible duplicates), we are taking returns.store.tomorrowland.com temporarily out of scope to have discussions with our third party partner for a structural solution

CPDoS issues

On *.weareone.world are currently out of scope!

Out of scope actions on Tomorrowland Wintershop

• Bypassing the payment process

Tomorrowland Brasil Ticket shops are out of scope

Application

• API key disclosure without proven business impact
• Pre-auth account takeover / oauth squatting
• Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
• Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
• CORS issues on non sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
• Presence of autocomplete attribute on web forms.
• Web content in our robots.txt file.
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Attacks requiring use of shared computers or physical access
• Best practises on password resets (logoff on changing a password, multiple sessions etc)
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking on pages with no sensitive actions
• Comma Separated Values (CSV) injection
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• Disclosed and/or misconfigured Google API key (including maps)
• Host header injection without proven business impact
• Sessions not being invalidated on logout
• Text injection
• HTML or CSS injection without a plausible attack scenario
• Stacktrace disclosure with no sensitive data
• Directory listing which do not contain sensitive files.
• Use of HTTP with no sensitive data
• Server status if it does not expose any sensitive data.
• Tokens leaked against third parties
• Email spoofing
• Pixel flood attack
• Broken link hijacking
• Theoretical attacks
• Homograph attacks
• Username / email enumeration
• E-mail bombing
• Disclosing API keys without proven impact
• Disclosing credentials without proven impact
• HTTP Header Attacks without proven impact (E.g. Host Header Injection without clear business impact)
• known issue: *.tomorrowland.com/.htpasswd

Infrastructure

• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
• Banner Exposure / Version Disclosure
• E-mail spoofing due to bad or missing implementation of SPF/DMARK/DKIM
• Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Not stripping metadata of images
• Open ports without the proof-of-concept of a vulnerability
• Man-in-the-middle attacks

General

• Best practices concern
• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
• Spam, social engineering and physical intrusion
• DDoS attacks or brute force attacks. The use of limited word lists in favor of e.g. password guessing is allowed

Mobile

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation is out of scope
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Disclosing API keys without proven impact
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions (edited)
• Attacks requiring stealing the victim’s phone or installing a malicious application onto the victim’s phone

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact and the targetted domain, a bug can sometimes be given a higher/lower severity rating.

Exceptional

• Remote Code Execution
• Full database read/write access

Critical

• Full database read access
• Significant access bypass
• IDOR on ticket info

High

• Horizontal privillege escalation
• Access to (a lot of) PII data

Medium

• XSS
• CSRF on critical actions
• Information disclosure
  • Line-up
  • Information about tickets / price packages before public announcement
  • Stack traces with sensitive info
  • Full suplier data

Low

• Cache Poisoning
• Open redirects
• CSRF

Where can I get a test account?

You can register yourself on Tomorrowland by using an intigriti email. More info can be found on: https://go.intigriti.com/intigritime