Bugs and vulnerabilities
Submission
You can send your report to development at mypup nl. Please send us the following info with the report:
-
A description of the issue and impact.
-
Steps to reproduce the issue or bug. We prefer a video with the steps in text.
-
A possible remediation.
-
A POC of the issue (see rules of engagement)
-
A link to your bug bounty profile, if you have any.
When you send a report to us we try to send an initial response within 3 weekdays. Within 14 weekdays we try to assess the report and categorize the report. We target to have the issue fixed within 31 days after the report.After the issue is fixed we will come back to you with the reward.
Bugs or reports that are incomplete (no video, screenshots and/or clear description) and that we cannot reproduce on our own are dismissed and are not eligible for any reward.
In short: if we can't find and fix the bug with the given report, the submission is rendered incomplete.
In scope
The following domain names are in scope because they are part of our own platform. Other (sub) domains refer to third party software.:
Reports on vulnerabilities in third-party software will not be rewarded. Reports should be forwarded to the third-party software supplier.
Out of scope
The following vulnerabilities are generally considered out of scope:
-
Brute-force / dictionary attacks.
-
Non-sensitive Clickjacking.
-
Non-sensitive CSRF (login / logout).
-
Vulnerabilities without a POC (Proof of Concept).
-
Physical access dependent attacks.
-
MITM dependent attacks.
-
Best practices in SSL/TLS configuration, implementations etc
-
Industry standards and policies.
-
Disruption of the service or to the website (e.g., DoS attacks, mass scans etc).
-
(API) Rate-limiting issues in general.
-
Automated reports from tools like nmap, Nessus, ZAP, Burp Scanner, Acunetix etc.
-
Social engineering attacks.
-
Missing security headers that are not detected by Probely are out of scope. We accept an "A" or higher here.
-
Public website on my-pup.com. Since it's just a cloud-based CMS we can't do anything about vulnerabilities.
Also the CMS page doesn't store any personal data.
Severity and rewards
We have different rewards depending on the severity and business impact of each report. We categorize the reports using Intigriti’s contextual CVSS standard (v3.1). In the following table you can see the severity categories, the corresponding rewards and the max CVSS score for each severity category.
Severity | Max CVSS | Reward |
---|---|---|
Exceptional | 10.0 | € 850,00 |
Critical | 9.4 | € 600,00 |
High | 8.9 | € 350,00 |
Medium | 6.9 | € 175,00 |
Low | 3.9 | € 75,00 |
None | 0.0 | € - |
We can send rewards using Paypal or an EU bank account (IBAN). Payments outside the EU are very costly. Rewards will be paid in Euro only. Applicable transaction fees will be subtracted from the total amount. Transaction fees will be paid by the reporting party (you).
Duplicates
For different attack vectors that result in the same mitigation, MyPup reserves the right to reward the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. Also bugs that are fixed already and are in the process of being released are also seen as duplicates.
Exceptions and edge cases
Some reports don’t exactly fall inside the CVSS standard. We’ve outlined these exceptions so you know what severity assessment you can expect.
Report Type | Severity | Decription |
---|---|---|
Leaked Maintainer Credentials | Critical | Leaked credentials (username + password or totp secret) of maintainer/admin users will be rewarded with a €Leaked Maintainer Credentials bounty. |
Dangling DNS records to risky service | High | Dangling DNS records pointing to an attacker-controllable service or IP address will be rewarded with a Dangling DNS records to risky service,- bounty. |
Leaked enduser addresses in bulk | High | Possibly leaked e-mail addresses in bulk (more than 50 at a time) of users that use the MyPup platform itself. |
Leaked enduser addresses | Medium | Possibly leaked e-mail addresses one-by-one of users that the the MyPup platform itself |
Broken link hijacking (high traffic links) | Low | Exploitation of a broken or inactive link on the site to redirect visitors to malicious or unintended destinations, typically for the purpose of spreading malware, phishing, or promoting spammy content. |
Caching issues | Low | Issues or bugs caused by caching on for example browsers and devices. |
Disclosed info/debug page | Low | Status or debug pages like the PHP or CGI status page. |
E-mail verification bypass | Low | E-mail verification is not required for the program to function properly (if applicable). |
HTML injection in e-mails | Low | An vulnerability where an attacker is able to inject and execute malicious HTML or script code within the body or metadata of an email. |
Known Behaviour | Low | Reports about known intended or known behavior, but which results in an update are rewarded, as long as this update is security related. |
Man-in-the-middle | Low | Reports that point out to a vulnerability that is exploitable via a man-in-the-middle attack. Since almost all users don't need to use our online platform to use our services, we classify this as low severity. |
Open redirect without additional impact | Low | A vulnerability where the site allows user-controlled input to redirect to external URLs, but it does not lead to any further security consequences or compromise user data. |
Rate limiting issues without discolsure | Low | Rate limiting issues where no information is disclosed about the end user. |
Self-XSS or Reflected HTML injection | Low | Self-XSS reports where users need to input the code themselves and affects the user itself. |
Duplicate Report | None | Reports that have already been reported by another security researcher. Or reports that refer to the same bug within the system. When requested, a proof of the previous report or the bugfix can be sent to the security researcher. |
Intended Behaviour | None | Reports about intended behaviour that is not changed will not be rewarded. Note that names and addresses of pick up points are always visible and are intended behavior to be publicly available. |
Third Party Platform | None | Issues or bugs that are part of third party platforms. |
Rules of engagement
Activity that is disruptive to normal operation will result in disqualification of the report. Examples are:
-
Generating abuse requests
-
Submission of support, sales or other requests to 3rd party systems
-
Mass creation of users, groups, and projects
-
Typosquatting or other namesquatting
-
Spam-like or other high volume activity
In general, behave professionally and use authentic reports. Doing any of the following will immediately disqualify the report.
-
Sending reports from automated tools without verifying them.
-
Respect our user’s privacy. You must use only test accounts in order to respect our users’ privacy. Do not access private information of other users.
-
Performing actions should not affect MyPup’s users or operations (e.g. a denial of service or spam)
To demonstrate your impact:
-
Choose a non disruptive option to demonstrate the vulnerability or bug.
-
If the only way to demonstrate an impact is a disruptive one then stop and report the issue, we will validate the impact.
-
In case of reports related to credential leaks do not create additional access credentials using the leaked one. We will determine impact ourselves and award for the maximum impact we uncover.
-
For sharing POC videos, directly upload or send the video in the report. Do not upload POC videos in public platforms until the report is disclosed.
-
JavaScript vulnerabilities must be demonstrated with more than just “alert()”.