Responsible Disclosure

Reporting security issues

If you discover a problem or a vulnerability in our systems, we would appreciate it if you share this information with us (as soon as possible). Serious security errors will be rewarded with a sum of bitcoins (bug bounty) or an honorable mention in the “wall of fame”. The height of the reward depends on the impact of the error but can be up to a maximum of 2 BTC. Rewards are only assigned if you're the first to alert us of a security issue and if this results in a change in the code or configuration. Obviously vulnerabilities should not be made public or exposed to third parties, until sufficient time for resolving the issue has been given. You can find some examples of security errors below.

Eligible vulnerabilities

For example:

  • Cross Site Scripting (XSS)
  • SQL-injection
  • Encryption issues

Issues not to report

Some security errors are not eligible for a reward because they have a low impact on security. The following type of security errors are some examples. Please don't mention such flaws unless a combination of errors can lead to a security issue with a greater impact.

  • General error messages regarding application or server errors.
  • HTTP 404 en other non HTTP 200 error codes
  • Accessibility of public files and folders (like robots.txt)
  • CSRF-issues on parts of the site that are available to anonymous visitors
  • CSRF-issues without (critical) consequences for users
  • Trace HTTP functions that may be active
  • SSL attacks like BEAST, BREACH, Renegotiation
  • SSL Forward secrecy unused
  • Anti-MIME-Sniffing header X-Content-Type-functions
  • Missing HTTP security headers
  • Presence of HTTPS Mixed Content Scripts / errors
  • SPF Record settings

Rules

Additionaly, we apply the following rules:

  • Don't do any damage during your investigation
  • Don't use social engineering techniques to gain access to our systems
  • Don't publish company or customer data
  • Don't share gained access with others in case you successfully penetrated our systems
  • Don't make any changes in the system
  • Don't access more information than strictly required
  • Don't use brute-force techniques
  • Don't use techniques that can influence the availability of our services
  • Don't disclose or share vulnerabilities with third parties, until they are fully resolved

Security issues can be emailed to: security@bitonic.nl. Please clearly describe the problem that you found and the steps to take to reproduce it. Add attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We need some time to study and assess the report. After a maximum of three working days you will receive a first substantive response.

Wall of fame

Reporter Vulnerability Notes
Laurens Indexing pages containing customer data by bing.com Bounty awarded

Live Chat Consent

The live chat is a service provided by MessageBird B.V. which is (a.o.) subject to the EU General Data Protection Regulation (GDPR) and states they do not use your data for commercial gain. In order to load the Live Chat we ask you to consent to the processing of any data shared with us using the chat. By closing this window without giving consent the chat will not load and no data will be shared.
For more information please review the MessageBird Privacy Policy.