Managed Bug Bounty Programs

The Managed Bug Bounty service is set to complement our strong pentesting and red teaming portfolio to add all around the clock vulnerability discovery for our security aware customers. If you would like to have your own program added here, let us know!

Platform Standards

This section outlines the criteria for evaluating vulnerability reports, determining bounty eligibility, and identifying issues that are not eligible for rewards. It also addresses considerations for third-party components and prohibited activities to ensure fair and secure participation.

Rules of Engagement

  • Test vulnerabilities only against your own account. Do NOT involve other users of the respective service.
  • If sensitive data is accessed in any way, it MUST NOT be saved.
  • Do NOT use automated scanners or tools.
  • To prove permissions, use the following commands:
    • Read: cat /proc/1/maps
    • Write: touch /root/<username>
    • Execute: id, pwd
  • Vulnerabilities may only be exploited to the extent necessary to demonstrate impact.
    Example: For an SQL injection, extracting the database version is sufficient; extracting user data is forbidden and violates the rules of engagement.

Forbidden Attacks

  • Active social engineering on employees or users.
  • All attacks that could lead to disruption or degradation of availability.

Severity and Bounty Evaluation

  • Reports that are a duplicate of a report marked as “fixed” are checked independently and may be eligible for a new bounty.
  • If a systemic problem is detected, only the first three reports are eligible for a bounty; all others are marked as duplicates.
  • Chained vulnerabilities are assessed based on the overall impact.

Third-Party and External Component Considerations

  • Vulnerabilities in third-party components should first be reported in the respective program.
  • Vulnerabilities in third-party components are also eligible for a bounty if the asset is in scope.

Not Eligible Findings

Out-of-Scope or Low-Impact Issues

  • Insecure Direct Object References (IDORs) with complex IDs unless the IDs are systematically leaked or are predictable
  • Leaked credentials of end users
  • Vulnerabilities that require end-of-life browsers or operating systems
  • Attacks that require an already compromised user or physical access to their device
  • Self-XSS and Self-DoS

Commonly Reported but Low-Risk Findings

  • Broken link hijacking
  • Tabnabbing
  • Content spoofing and text injection issues
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on forms without security-relevant action (e.g., log out)
  • CORS configurations without proven impact
  • Information disclosure (software versions, banners, error messages, stack traces)
  • Comma Separated Values (CSV) injection
  • Open redirects without additional security impact (e.g., XSS, stealing access tokens)

Hardening

  • SSL/TLS hardening
  • SSL Pinning
  • Jailbreak detection
  • Cookie hardening (e.g., missing HttpOnly/Secure flags)
  • Content-Security-Policy hardening
  • E-Mail hardening (e.g., SPF/DKIM/DMARC)
  • Rate Limiting