top of page

/

Bugs and vulnerabilities

Submission

 

You can send your report to development at mypup nl. Please send us the following info with the report:

  • A description of the issue and impact.

  • Steps to reproduce the issue or bug. We prefer a video with the steps in text.

  • A possible remediation.

  • A POC of the issue (see rules of engagement)

  • A link to your bug bounty profile, if you have any.

When you send a report to us we try to send an initial response within 3 weekdays. Within 14 weekdays we try to assess the report and categorize the report. We target to have the issue fixed within 31 days after the report.After the issue is fixed we will come back to you with the reward.

Bugs or reports that are incomplete (no video, screenshots and/or clear description) and that we cannot reproduce on our own are dismissed and are not eligible for any reward.

 

In short: if we can't find and fix the bug with the given report, the submission is rendered incomplete.

In scope

 

The following domain names are in scope because they are part of our own platform. Other (sub) domains refer to third party software.:

Reports on vulnerabilities in third-party software will not be rewarded. Reports should be forwarded to the third-party software supplier.

Out of scope

The following vulnerabilities are generally considered out of scope:
 

  • Brute-force / dictionary attacks.

  • Non-sensitive Clickjacking.

  • Non-sensitive CSRF (login / logout).

  • Vulnerabilities without a POC (Proof of Concept).

  • Physical access dependent attacks.

  • MITM dependent attacks.

  • Best practices in SSL/TLS configuration, implementations etc

  • Industry standards and policies.

  • Disruption of the service or to the website (e.g., DoS attacks, mass scans etc).

  • (API) Rate-limiting issues in general.

  • Automated reports from tools like nmap, Nessus, ZAP, Burp Scanner, Acunetix etc.

  • Social engineering attacks.

  • Missing security headers that are not detected by Probely are out of scope. We accept an "A" or higher here.

  • Public website on my-pup.com. Since it's just a cloud-based CMS we can't do anything about vulnerabilities.
    Also the CMS page doesn't store any personal data.

     

Severity and rewards

We have different rewards depending on the severity and business impact of each report. We categorize the reports using Intigriti’s contextual CVSS standard (v3.1). In the following table you can see the severity categories, the corresponding rewards and the max CVSS score for each severity category.

Severity
Max CVSS
Reward
Exceptional
10.0
€ 850,00
Critical
9.4
€ 600,00
High
8.9
€ 350,00
Medium
6.9
€ 175,00
Low
3.9
€ 75,00
None
0.0
€ -

We can send rewards using Paypal or an EU bank account (IBAN). Payments outside the EU are very costly. Rewards will be paid in Euro only. Applicable transaction fees will be subtracted from the total amount. Transaction fees will be paid by the reporting party (you).

Duplicates

For different attack vectors that result in the same mitigation, MyPup reserves the right to reward the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. Also bugs that are fixed already and are in the process of being released are also seen as duplicates.

Exceptions and edge cases

Some reports don’t exactly fall inside the CVSS standard. We’ve outlined these exceptions so you know what severity assessment you can expect.

Report Type
Severity
Decription
Leaked Maintainer Credentials
Critical
Leaked credentials (username + password or totp secret) of maintainer/admin users will be rewarded with a €Leaked Maintainer Credentials bounty.
Dangling DNS records to risky service
High
Dangling DNS records pointing to an attacker-controllable service or IP address will be rewarded with a Dangling DNS records to risky service,- bounty.
Leaked enduser addresses in bulk
High
Possibly leaked e-mail addresses in bulk (more than 50 at a time) of users that use the MyPup platform itself.
Leaked enduser addresses
Medium
Possibly leaked e-mail addresses one-by-one of users that the the MyPup platform itself
Broken link hijacking (high traffic links)
Low
Exploitation of a broken or inactive link on the site to redirect visitors to malicious or unintended destinations, typically for the purpose of spreading malware, phishing, or promoting spammy content.
Caching issues
Low
Issues or bugs caused by caching on for example browsers and devices.
Disclosed info/debug page
Low
Status or debug pages like the PHP or CGI status page.
E-mail verification bypass
Low
E-mail verification is not required for the program to function properly (if applicable).
HTML injection in e-mails
Low
An vulnerability where an attacker is able to inject and execute malicious HTML or script code within the body or metadata of an email.
Known Behaviour
Low
Reports about known intended or known behavior, but which results in an update are rewarded, as long as this update is security related.
Man-in-the-middle
Low
Reports that point out to a vulnerability that is exploitable via a man-in-the-middle attack. Since almost all users don't need to use our online platform to use our services, we classify this as low severity.
Open redirect without additional impact
Low
A vulnerability where the site allows user-controlled input to redirect to external URLs, but it does not lead to any further security consequences or compromise user data.
Rate limiting issues without discolsure
Low
Rate limiting issues where no information is disclosed about the end user.
Self-XSS or Reflected HTML injection
Low
Self-XSS reports where users need to input the code themselves and affects the user itself.
Duplicate Report
None
Reports that have already been reported by another security researcher. Or reports that refer to the same bug within the system. When requested, a proof of the previous report or the bugfix can be sent to the security researcher.
Intended Behaviour
None
Reports about intended behaviour that is not changed will not be rewarded. Note that names and addresses of pick up points are always visible and are intended behavior to be publicly available.
Third Party Platform
None
Issues or bugs that are part of third party platforms.

Rules of engagement

Activity that is disruptive to normal operation will result in disqualification of the report. Examples are:
 

  • Generating abuse requests

  • Submission of support, sales or other requests to 3rd party systems

  • Mass creation of users, groups, and projects

  • Typosquatting or other namesquatting

  • Spam-like or other high volume activity

In general, behave professionally and use authentic reports. Doing any of the following will immediately disqualify the report.
 

  • Sending reports from automated tools without verifying them.

  • Respect our user’s privacy. You must use only test accounts in order to respect our users’ privacy. Do not access private information of other users.

  • Performing actions should not affect MyPup’s users or operations (e.g. a denial of service or spam)

To demonstrate your impact:
 

  • Choose a non disruptive option to demonstrate the vulnerability or bug.

  • If the only way to demonstrate an impact is a disruptive one then stop and report the issue, we will validate the impact.

  • In case of reports related to credential leaks do not create additional access credentials using the leaked one. We will determine impact ourselves and award for the maximum impact we uncover.

  • For sharing POC videos, directly upload or send the video in the report. Do not upload POC videos in public platforms until the report is disclosed.

  • JavaScript vulnerabilities must be demonstrated with more than just “alert()”.

bottom of page