As we recently launched our renewed liveblog on VRT NWS, we would like to request the help of Intigriti researchers to ensure its security and resilience.
Scope of the Test:
- Platform: VRT NWS
- Page: liveblog
- Key Areas of Focus:
- Resilience against common web attacks (e.g., XSS, CSRF, SQL Injection)
- API security and data handling
- Data integrity and protection
- Renewed redirecting URL with unique ID
- Authentication and user access control
- Potential vulnerabilities in the interaction system
We are particularly interested in identifying any weaknesses that could impact the reliability of our live reporting environment. Let us know if you need further details. Looking forward to your findings.
VRT NWS Product Team
Since October 23, 2024, we have integrated our Ketnet brand into VRT MAX, creating a kid-friendly and safe environment.
Kids can now create their own profiles with the consent of a parent or guardian.
Once a profile is created, children will be directed to our kid environment within VRT MAX. Children under 7 will be redirected to our Ketnet Junior environment, while those aged 7 and up will enter the Ketnet environment. Both environments offer content tailored to their respective age groups.
Ensuring the safety of these environments is our top priority, and we have taken extensive measures to secure them. However, we understand that no system is completely impenetrable, which is why we are seeking your expertise.
We would like to highlight a known issue: after a child completes their steps in the profile creation flow, they receive a link or QR code to share with their parent for validation. This link can be sent to anyone, meaning that anyone with the link can validate the profile. As this is already known, tickets concerning this vulnerability will be rejected.
We wish you happy hunting.
We have updated our bounty payouts accordingly:
- Low: 25 -> 100
- Medium: 200 -> 300
- High: 500 -> 750
- Critical: 1100 -> 1300
- Exceptional: 1500 -> 2000
We wish you happy hunting
VRT
It’s been a busy time for VRT Max, the new name for VRT's online video platform, available on https://vrt.be/vrtmax
Apart from a renaming and a complete refresh of the look & feel. VRT MAX also includes some new features like:
- Available on Samsung TV
- New search
- Improved navigation
- Kids (sub)-profile possible coupled to an existing VRT-profile
Under the hood it is also noteworthy that our audio & video services have been containerized, also changing quite a lot about the underlying workings.
These improvements & changes may have introduced new vulnerabilities.
We wish you happy hunting
VRT
A few months ago, we released a VRT NU android TV app. A few weeks ago, the same thing happened for apple tv. A good time to add those apps to the scope of our bugbounty, so we just did!
Hey everyone, today we added some of our ketnet(VRT's children brand) sites to the scope of this project. Have fun!
Hey everyone, we are currently getting alerts/complaints about (too) aggressive directory/endpoint scans on api.sporza.be. Please take a look at our in scope and the rules about automated scans. We will not be accepting any reports that come as a result of this scan.
Regards,
Jeroen
Welcome to VRT's new bug bounty program. We start out with a scope around VRT's VRT Nu product, but plan to expand this scope on a very short term with other big VRT brands. This project will be a long living project, staying open for our main products. For things that are not in scope here, there's also our responsible disclosure program.
Have fun!