Description

Attentia provides integrated HR, payroll, prevention & protection and well‑being services to Belgian organisations. We welcome responsible security research to help us strengthen our systems. Please report vulnerabilities affecting Attentia assets (web applications, APIs, and customer portals) via our secure reporting channel. Do not access, copy, or exfiltrate personal payroll or health data; avoid tests that could disrupt payroll processing.

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of Attentia to award.

Assets
*.attentia.be
Wildcard
Tier 3
1 Skill
iOS
Tier 3
1 Skill
iOS
Tier 3
1 Skill
Android
Tier 3
1 Skill
Android
Tier 3
In scope

High-Value Vulnerabilities

These are the findings most impactful for Attentia and will receive priority triage.

1. Authentication & Authorization

  • Broken access control (IDOR, privilege escalation, horizontal/vertical access bypass)
  • Authentication bypasses (session fixation, weak session handling, missing MFA enforcement)
  • Improper access to payroll, HR, or medical/prevention data
  • Token leakage or JWT manipulation

2. Data Exposure & Privacy

  • Exposure of personal data (PII), payroll data, or medical/prevention data
  • Insecure direct object references to employee or customer records
  • Misconfigured access to documents, reports, or internal files
  • Sensitive data in logs, URLs, or client-side storage

3. Web Application Security

  • Injection vulnerabilities (SQLi, NoSQLi, command injection, template injection)
  • Cross-Site Scripting (XSS) — stored, reflected, DOM-based (self-XSS is out of scope)
  • Cross-Site Request Forgery (CSRF) on sensitive actions
  • Server-Side Request Forgery (SSRF)
  • Insecure file upload or file parsing issues
  • Business logic flaws affecting payroll, HR workflows, or well-being services
  • Open redirects that can be chained into a higher-severity issue

4. API Security

  • Missing or weak authentication on APIs
  • Excessive data exposure (GraphQL or REST)
  • Mass assignment vulnerabilities
  • Rate-limit bypasses with demonstrated business impact
  • Manipulation of payroll or HR-related API endpoints

5. Infrastructure & Configuration

  • Misconfigurations leading to unauthorized access
  • Open admin interfaces or exposed dashboards
  • Exposed cloud storage buckets or internal endpoints
  • Outdated or vulnerable components with a known, applicable CVE (OWASP A06)
  • Insecure TLS/SSL configurations with demonstrated exploitability

6. Account Takeover & Identity

  • Password reset flaws
  • Email or phone verification bypass
  • OAuth/OpenID Connect misconfigurations
  • Session hijacking or fixation
Out of scope

Not valuable for us

This section helps researchers avoid wasted effort and protects sensitive systems. Reports covering the items below will be closed without reward.

Attack techniques

  • Social engineering (phishing, vishing, smishing, employee impersonation)
  • Physical security testing (tailgating, badge cloning, device theft scenarios)
  • Denial-of-Service, distributed DoS, or any intentional performance degradation
  • Brute-force or credential stuffing attacks against production systems

Low-impact / theoretical findings

  • Clickjacking without a demonstrated, meaningful impact (e.g. no sensitive action can be triggered)
  • Rate limiting or account lockout absence without a credible business impact
  • Missing security headers (e.g. X-Frame-Options, Content-Security-Policy) without a working proof-of-concept exploit
  • SPF, DKIM, or DMARC configuration suggestions without a demonstrated exploitability path
  • SSL/TLS configuration issues (e.g. older cipher suites) without proven exploitability
  • Self-XSS or issues requiring the attacker to already have full control of the victim's browser/session
  • Open redirects that cannot be chained into a higher-severity issue
  • Publicly accessible login portals or admin panels without evidence of a vulnerability
  • User enumeration via timing differences or error messages without further exploitability

Informational / best-practice only

  • Best-practice or hardening recommendations without a concrete security impact
  • Findings from automated scanners without a manual proof-of-impact
  • Missing HttpOnly or Secure cookie flags on non-sensitive cookies
  • Software version disclosure without a known, applicable CVE
  • Descriptive error messages or stack traces in non-sensitive contexts

Out-of-bounds systems

  • Attacks on third-party systems, infrastructure, or services not owned or operated by Attentia
  • Findings in systems or applications explicitly listed as out-of-scope in the program scope section
Severity assessment

This program follows Intigriti's triage standards based on the proof of concept.

FAQ

Frequently Asked Questions

1. Are payroll, HR, or well-being systems in scope?
Yes — public-facing Attentia applications, APIs, and portals are in scope. However, production data must never be accessed, downloaded, or manipulated. Where test accounts are provided, use only those.

2. Are internal or third-party systems in scope?
No — only systems owned and operated by Attentia. Third-party platforms (e.g. payroll engines, SaaS tools, HR vendors) are out of scope unless explicitly listed in the scope section.

3. Is social engineering allowed?
No — phishing, vishing, impersonation, and any form of employee interaction are strictly out of scope.

4. Can I perform DoS, stress tests, or brute-force attacks?
No — any activity that could impact availability, payroll processing, or customer services is not permitted, regardless of intent.

5. Can I test APIs?
Yes — public-facing and customer-facing APIs are in scope. Internal APIs, undocumented endpoints, and staging environments are not.

6. Can I access or exfiltrate personal data?
No — Attentia processes sensitive HR, payroll, and health-related data. Researchers must not download, modify, or access real employee or customer records. If you accidentally encounter personal data, stop immediately, do not store or share it, and include a note in your report.

7. Are automated scans allowed?
Only if they are low-impact, do not degrade system performance, and the submission includes a manual proof-of-impact — not just raw scanner output.

8. What about subdomains?
Only subdomains that are public, active, and clearly owned by Attentia are in scope. Parked, inactive, or vendor-hosted subdomains are out of scope.

9. Can I test mobile apps?
Yes — if the app is published by Attentia on a public app store and interacts with Attentia-owned systems, it is in scope. Third-party SDKs or embedded vendor components within the app are out of scope.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Activity
7/2
Attentia updated the confidentiality level to public
7/2
Attentia updated the confidentiality level to registered
7/2
Attentia updated the confidentiality level to application
6/4
Attentia VDP
launched