Reporting security issues
If you discover a problem or a vulnerability in our systems, we would appreciate it if you share this information with us (as soon as possible). Serious security errors will be rewarded with a sum of bitcoins (bug bounty) or an honorable mention in the “wall of fame”. The height of the reward depends on the impact of the error but can be up to a maximum of 2 BTC. Rewards are only assigned if you're the first to alert us of a security issue and if this results in a change in the code or configuration. Obviously vulnerabilities should not be made public or exposed to third parties, until sufficient time for resolving the issue has been given. You can find some examples of security errors below.
- Cross Site Scripting (XSS)
- Encryption issues
Issues not to report
Some security errors are not eligible for a reward because they have a low impact on security. The following type of security errors are some examples. Please don't mention such flaws unless a combination of errors can lead to a security issue with a greater impact.
- General error messages regarding application or server errors.
- HTTP 404 en other non HTTP 200 error codes
- Accessibility of public files and folders (like robots.txt)
- CSRF-issues on parts of the site that are available to anonymous visitors
- CSRF-issues without (critical) consequences for users
- Trace HTTP functions that may be active
- SSL attacks like BEAST, BREACH, Renegotiation
- SSL Forward secrecy unused
- Anti-MIME-Sniffing header X-Content-Type-functions
- Missing HTTP security headers
- Presence of HTTPS Mixed Content Scripts / errors
- SPF Record settings
Additionaly, we apply the following rules:
- Don't do any damage during your investigation
- Don't use social engineering techniques to gain access to our systems
- Don't publish company or customer data
- Don't share gained access with others in case you successfully penetrated our systems
- Don't make any changes in the system
- Don't access more information than strictly required
- Don't use brute-force techniques
- Don't use techniques that can influence the availability of our services
- Don't disclose or share vulnerabilities with third parties, until they are fully resolved
Security issues can be emailed to: firstname.lastname@example.org. Please clearly describe the problem that you found and the steps to take to reproduce it. Add attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We need some time to study and assess the report. After a maximum of three working days you will receive a first substantive response.
We would appreciate it if you can encrypt your message with the PGP key provided below (fingerprint:
B1E1 4255 F862 8E80 A226 0BD3 FB3C 57A8 B745 A874).
Wall of fame
|Laurens||Indexing pages containing customer data by bing.com||Bounty awarded|
This is the public key you can use to encrypt messages to us using PGP/GPG in order to communicate securily.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBFMPAtABCAC/s4AADhiD8czlo9X8WgJTfOzqxCK4BZCiIT1kqQ2z0lL48KNJ e+d1+GJGhVatbGDmwNpMtqmLtOL6yFRbEnEaYub4ZpRrUlCyjNFLIAAHvI/vvg8J RMfFyW1G/9z5bC3ZgoR4kVx2685h7ZCpbmowWgbPA7VeznSCB+OrI8o3TDYpqNY6 GyGMVEHysQYfHA5ezfeeS5k/zlNChj2/Gb2Irzqr9cr7ODtHurY983IcDI2zQID4 2ZYDLhxFAj3dyTWazE+qvYtoQQMiKtNtkpAEjOfPGG6PH5s6KuhpDWY91aoIUeRJ bnk2bewf+FN92fLtMIqVcVbVB0+rJDNEj1SXABEBAAG0Jk5pZWxzIHZhbiBHcm9u aW5nZW4gPG5pZWxzQGJpdG9uaWMubmw+iQE+BBMBAgAoBQJTDwLQAhsjBQkJZgGA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD7PFeot0WodFlmB/9tDt72x7Az Ii8iXF6b5d6rc8NmMwR8QEYdHnI9s9MiK8/V4ZwAlHjCYGv0IXY1oChVR3fVw4EL Ptazi0a6hyN5roABPDlqjM1evrpLalRG+4yHY8Zj0LrIp0btiAZo3BD0Vf0Pew37 xNqybZ4mgJdoQYOo/77LK2vMbLhqmAwXk4EFwF+qsg6d+6svnb+HIyn0YXhDXpzx jTtZgYFwXQHnsaDi3Z+8qbZwYa5KusKBDG4/r8Yu1sYbaDwQhgBzg90GSkdsqKHx YoHODeDT/vvpawBhJ4RQAA72SHqzB7u7arjy2lJh9krdaqM8OKMEhFntlce7Au5O 5mLX1P4keQBcuQENBFMPAtABCACsuH3BKHSrSgGAgLVw28anp3iabU5NymNkR8F6 8hSXWm5iEwUdxSxIyJo/QOLUtKM5UH7d35QHhw9Kbn2XK/jAAgwqRJMF+QTIgc1n CRmLrCeYohT1WjZNElgkc/Bj9R8OLD7T4O1P04wZEQjQiDKeg2Dvwj4YmEYik9o/ Rd2PNSR7ysm/e8jfcQLn1OYy+d8otdaCenvmi/upKnmm+PjBm1gM/JG614Jd3jio WJTnNAWZXGziAGqfFTSpJfNm0YKbUfaP+UvU0prs+tFjOHQHUOkV0ToXh6DtuS6N IgNf6jRAXF691sE8KF7jgXEE70tYDsMFPG0UdDzktzNwTksvABEBAAGJASUEGAEC AA8FAlMPAtACGwwFCQlmAYAACgkQ+zxXqLdFqHTMOggAi8FAr0glhyCnZSbCWCjZ aakN+d88IvpR4JdWvgKZMNXO3w+YkQs4RKX+p5zszkeQsZhtfT8R/hOrcmeX409p foUay0yadfhyT7Cdo5864cq9B+3+UMNsTG09g+/obSbOi+bMhmRHt7heszu90iTo L6vVZjenyR3Vy7o17DESsFk4FknxHGyYxH7aK7NasV7P2xegQhj1jTZv8uFLQM/E sgMBJby9ljnT6opfVXdbFc9xRP5Ezgmz1U+mQs78ISCd1vmF/6POcxQ0jmoH/qPb 6afwcldGLAZQLm0t+yxWaRbN0LdX1MQjeriETGOgDh8p2XkRp/o9lEQfLvEo17xg lw== =Ym7G -----END PGP PUBLIC KEY BLOCK-----