Tomorrowland/Tomorrowland/Detail
Detail Updates Leaderboard
sort by
Last published
Tomorrowland Belgium 2025 Campaign Update - update targets!
6/23/2025, 6:48:05 PM (9 days ago)

Hello Hackers,

We're back with another update on our bug bounty campaign!
Thanks to everyone who's already submitted — we've seen some great reports come in. We're actively reviewing findings and will continue to share updates as the campaign progresses.

Extra applications in the spotlight!

In addition to https://cas.tomorrowland.com, https://tlbe.prod.tomorrowland.com/ and https://belgium.tomorrowland.com/ we're adding one more applications to this week's spotlight:

New in the spotlight:
🔹 https://my.tomorrowland.com

Gradually leading up to the start of Tomorrowland Belgium 2025, we'll feature new applications or URLs as spotlight targets.

Bonus Bounties (Limited Time Only!)

High and Critical severity findings on spotlighted applications will receive double the usual bounty.

The first Exceptional submission during the campaign will also earn a doubled bounty — this bonus is one-time only.

Valid until: 14 July 2025

Current Spotlighted Applications:

Crew Accreditation System – https://cas.tomorrowland.com

Tomorrowland Belgium – https://tlbe.prod.tomorrowland.com/ (*)

Tomorrowland Belgium Website – https://belgium.tomorrowland.com/ (*)

My Tomorrowland - https://my.tomorrowland.com

(*) CPDoS vulnerabilities are out of scope for these URLs.

Happy hacking and good luck!

Tomorrowland Belgium 2025 Campaign Update - New targets!
6/18/2025, 12:16:55 PM (15 days ago)

Hello Hackers,

We're excited to share an update on our ongoing bug bounty campaign! We've already seen some interesting submissions roll in, thank you! As we continue reviewing the findings, we'll keep you posted.

Extra applications in the spotlight!

In addition to https://cas.tomorrowland.com, we're adding two more applications to this week's spotlight:

🔹 https://tlbe.prod.tomorrowland.com/
🔹 https://belgium.tomorrowland.com/

Gradually leading up to the start of Tomorrowland Belgium 2025, we'll feature new applications or URLs as spotlight targets.

Bonus Bounties (Limited Time Only!)

High and Critical severity findings on spotlighted applications will receive double the usual bounty.

The first Exceptional submission during the campaign will also earn a doubled bounty — this bonus is one-time only.

Valid until: 14 July 2025

Current Spotlighted Applications:

  • Crew Accreditation System – https://cas.tomorrowland.com

  • Tomorrowland Belgium – https://tlbe.prod.tomorrowland.com/ (*)

  • Tomorrowland Belgium Website – https://belgium.tomorrowland.com/ (*)

(*) CPDoS vulnerabilities are out of scope for these URLs.

Happy hacking and good luck!

Tomorrowland Belgium 2025 Campaign
6/16/2025, 12:02:19 PM (17 days ago)

Hello Hackers,

Starting now and running until the beginning of Tomorrowland Belgium 2025, we will spotlight different applications/URLs each week. During this limited period, bounties for High and Critical severity findings on these spotlighted applications will be doubled. Additionally, the first Exceptional finding submitted during this campaign will also receive a doubled bounty — this bonus applies only once.

Valid until 14 July 2025

This week's spotlighted application:
Crew Accreditation System – https://cas.tomorrowland.com

Bounty Boosts for Spotlighted Apps:

High and Critical severity findings will receive double bounties.
The first Exceptional finding submitted during this campaign will also be doubled — this bonus applies only once across the entire campaign.

Happy Hacking!

CPDoS on *.weareone.world out of scope
3/13/2025, 2:26:18 PM (4 months ago)

Hello Hackers,

We are aware of the CPDoS issues on *.weareone.world. We are currently working on a fix and will put all CPDoS issues on *.weareone.world out of scope for now.

Happy hacking!

TML Team

New domain
1/13/2025, 9:46:57 AM (6 months ago)

Dear Hackers,

We've added a new domain to our program.

*.weareone.world

We're looking forward to your reports

Happy Hacking
TML Team

Open redirect back in scope
7/25/2024, 1:40:03 PM (11 months ago)

Dear Hackers,

Open redirect and Cache Poisoning on our platform is back in scope!!

Happy Hacking

Scope update:
5/3/2024, 9:44:01 AM (about 1 year ago)

Dear Hackers,

We would like to provide an update regarding Open Redirects and Cache Poisoning on our platform. Currently, we will set those topics out of scope, however, we want to assure you that we are fully aware of their significance and are actively working on resolving them.

We appreciate your patience and understanding as we work to enhance the security measures of our platform. Rest assured, we will keep you updated on any further developments regarding this matter.

Happy Hacking

Scope update:
3/18/2023, 2:58:02 PM (over 2 years ago)

Subdomain takeover is again in scope, however we've decided to put a fixed fee of 50 EUR on this vulnerability as we have a project running to fix this type of vulnerability more structurally.

We've also added two new domains in Tier 3. A vulnerability found on either one of domains and is present on the other will be considered a duplicate. (Production versus staging environment).

Happy hacking!