Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.

Tier 2
€ 50
€ 150
€ 500
€ 1,000
€ 2,500
€ 50 - € 2,500

Tier 2

Tier 2
Tier 2

Tier 2

Tier 2

Tier 2
Tier 2

Tier 2

Tier 2

Tier 2

Out of Scope: bypassing payment process

Tier 2
In scope

We are looking for help in protecting and securing our online assets because we care about the privacy of our fans and their data. We also value fair access for our fans to our ticketing sales and want to prevent fraud and ticket scalping.

Please report all vulnerabilities about our online assets, our scope is listed under the Domains section.

The public programme includes listed public domain names and our public Android and iOS app.

Additional private projects concerning our ticket sales and crew accreditation services will be added in a later phase.

Important guideline

Always create a Tomorrowland account with your intigriti email

More info can be found on:

Out of scope

Subdomain takeover is out of scope!

Out of scope actions on Tomorrowland Winterschop 2020

  • Bypassing the payment process


  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • CORS issues on non sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Attacks requiring use of shared computers or physical access
  • Best practises on password resets (logoff on changing a password, multiple sessions etc)
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection
  • Host Header Injection
  • Sessions not being invalidated on logout
  • Text injection
  • HTML or CSS injection without a plausible attack scenario
  • Stacktrace disclosure with no sensitive data
  • Directory listing which do not contain sensitive files.
  • Use of HTTP with no sensitive data
  • Server status if it does not expose any sensitive data.
  • Tokens leaked against third parties
  • Email spoofing
  • Pixel flood attack
  • Broken link hijacking
  • Theoretical attacks
  • Homograph attacks
  • Username / email enumeration
  • E-mail bombing
  • Disclosing API keys without proven impact
  • Disclosing credentials without proven impact
  • known issue:


  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Banner Exposure / Version Disclosure
  • E-mail spoofing due to bad or missing implementation of SPF/DMARK/DKIM
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Not stripping metadata of images
  • Open ports without the proof-of-concept of a vulnerability


  • Best practices concern
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DDoS attacks or brute force attacks. The use of limited word lists in favor of e.g. password guessing is allowed


  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Disclosing API keys without proven impact
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions (edited)
  • Attacks requiring stealing the victim’s phone or installing a malicious application onto the victim’s phone
Rules of engagement


  • Remember: quality over quantity!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Please do NOT discuss bugs before they are fixed

Safe harbour for researchers

Tomorrowland considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Tomorrowland will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Tomorrowland will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact and the targetted domain, a bug can sometimes be given a higher/lower severity rating.


  • Remote Code Execution
  • Full database read/write access


  • Full database read access
  • Significant access bypass
  • IDOR on ticket info


  • Horizontal privillege escalation
  • Access to (a lot of) PII data


  • XSS
  • CSRF on critical actions
  • Information disclosure
    • Line-up
    • Information about tickets / price packages before public announcement
    • Stack traces with sensitive info
    • Full suplier data


  • Open redirects
  • CSRF

Cash vs tickets

We are happy to reward your vulnerabilities by giving you tickets for Tomorrowland 2020 instead of cash. The table below explains which severity results in which monetary reward or ticket reward.

The ticket supply is limited. the company has always the right to reward you cash instead.

Severity Cash Tickets
Low € 50         
Medium € 150 2 day tickets
High € 500 2 Weekend tickets
Critical € 1.000 2 Weekend tickets (comfort) including spending limit
Exceptional        € 2.500 4 Weekend tickets (comfort) including spending limit

Where can I get a test account?

You can register yourself on Tomorrowland by using an intigriti email. More info can be found on:

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Last 90 day response times
avg. time first response
< 2 days
avg. time to triage
< 2 days
closed a submission
created a submission
closed a submission
closed a submission
created a submission
closed a submission
created a submission
closed a submission
created a submission
closed a submission