General
Nobody's perfect. We strive to provide the best user experience for our partners and
customers.
To further improve that we've established this bug bounty.
We encourage you to report security flaws in our services and expect rewards in return.
Contact
Be so kind to add these informations:
- Affected component / URL
- Type of Vulnerability
- Steps to reproduce
- Proof of exploitation
We reserve the right of not responding to basic technology misunderstandings, clearly out-of-scope findings or obvious false-positives.
Response Goals
1st response: within 2 business days
triage: within 4 business days
bounty: within 14 business days
Vulnerability Disclosure Policy
Please refrain from sharing any informations regarding vulnerabilities and your submission before giving us the opportunity to investigate and fix it.
In-Scope
- Authentication or Authorization Flaws
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Local or Remote File Inclusions
- Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Server-Side Template Injection (SSTI)
- SQL injection (SQLI) as primary focus, we're interested in all reports that affect sensitive user data and system integrity.
Out of scope
- Automated Tools Reports / Scans that aren't manually validated
- Well-known issues / vulnerabilities of low - medium severity in external software, like WordPress, Mautic etc.
- Attacks requiring physical access to a user/company device
- Attacks requiring compromised network infrastructure
- Attacks requiring victim to install non-standard software or otherwise take active steps
- Disclosure of obvious public / irrelevant informations
- (Distributed) Denial of Service - “(D)DOS”
- Hypothetical or Theoretical vulnerabilities without actual verification or validation
- Physical attempts against our property or data centers
- Social engineering employees, clients or users
- Tabnabbing
Severity definition
Critical Severity
- remote code execution without user interaction
- root-level compromise of servers or infrastructure devices
- access to user’s information without authorization
High Severity
- elevated privileges
- significant data loss
- unexpected downtime
Medium Severity
- Requiring user privileges to be exploited.
- Requires to manipulate individual victims by using social engineering tactics, live on the same local network as the victim, or set up denial of service assaults.
- Often only very restricted access is available.
Low Severity
- minimal effect on organization’s business.
No Severity
Minor annoyances like
- missing SPF, DKIM
- inappropriate account / password policies
- session related things like missing termination after changing credentials
- UI/UX Bugs, lost tags, spelling mistakes
Bounty Matrix
| Severyity | Bounty (up to) |
|---|---|
| Low | 150,00 € |
| Medium | 500,00 € |
| High | 750,00 € |
| Critical | 1500,00 € and more |