Responsible Disclosure
Below is the Responsible Disclosure policy of Bitonic.
This document outlines what constitutes a potential security issue or vulnerability and how it can be reported. Bitonic appreciates reports as soon as possible. Bitonic can be reached at security@bitonic.nl. The definitions used in this document have the same meaning as those in the User Agreement.
Article 1: Rules
- No damage may be caused during the investigation.
- Social engineering techniques may not be used.
- Personal data of Users and/or Bitonic must not be disclosed.
- Access obtained must not be shared with third parties.
- Personal data in systems or databases must not be altered or deleted.
- Only the data necessary to demonstrate the vulnerability may be copied.
- Brute force techniques may not be used.
- Techniques that affect the functionality or availability of the Services may not be applied.
- Vulnerabilities must not be publicly disclosed or shared with third parties without explicit permission of Bitonic.
Article 2: Scope
- The Responsible Disclosure policy applies to all Services of Bitonic and all systems under Bitonic's direct control.
- The guidelines in the Responsible Disclosure policy cover the discovery and reporting of security issues that may affect the integrity, availability, or confidentiality of Bitonic's systems and data.
Article 3: Vulnerabilities
- Vulnerabilities potentially eligible for a reward include, but are not limited to, Cross Site Scripting (XSS), SQL injection, and encryption issues.
- Other vulnerabilities that result in changes to the code or configuration may also be eligible for a reward.
Article 4: Vulnerabilities not eligible for reporting
- Vulnerabilities with limited security impact that are not eligible for a reward include general error messages related to application or server errors, HTTP 404 and other non-HTTP 200 error messages, accessibility of public files and directories (such as robots.txt), CSRF issues on parts of the site accessible to anonymous users, CSRF issues without significant impact on Users, active trace HTTP functions, SSL attacks like BEAST, BREACH, and Renegotiation, lack of SSL Forward Secrecy, anti-MIME-Sniffing header X-Content-Type options, absence of HTTP security headers, HTTPS Mixed Content Scripts / errors, and SPF Record settings.
- Vulnerabilities mentioned in paragraph 1 should only be reported if they, in combination with other vulnerabilities, lead to a greater security issue.
Article 5: Reward
- Bitonic offers a reward for discovered vulnerabilities that have significant impact. The reward is paid in Bitcoin and depends on the severity and impact of the discovered vulnerability.
- If applicable, a mention on the “wall of fame” may be offered as an alternative to a financial reward. The final reward will be determined by Bitonic's assessment of the reported vulnerability.
Article 6: Reporting
- Security issues and/or vulnerabilities can be emailed to security@bitonic.nl.
- The report must include a clear description of the issue and the steps to reproduce it.
- If possible, attachments such as screenshots or data dumps should be added to clarify the issue.
- Upon receipt of the report, a confirmation of receipt will be sent. An initial substantive response and information about the status of the report will follow within three working days.
Wall of fame
Reporter |
Vulnerability |
Notes |
Laurens |
Indexing pages containing customer data by bing.com |
Bounty awarded |