10K Followers - XSS Challenge
Solve the XSS challenge and win a Burp Pro License & Private Invites!
10K Followers - XSS Challenge
Solve the XSS challenge and win a Burp Pro License & Private Invites!
Altroconsumo is an Italian association which promotes consumer protection. We work on the promotion and defence of consumers' interests, the search for solutions to their problems, assistance in the accession to their rights (freedom of choice, access to information, access to the courts, right to health, safety and a healthy environment, education and training). In order to protect the consumers, we need help to be as safe as possible as well and that's why we are asking for your support! We work in close collaboration with other consumers associations which have the same approach and objectives. Test Aankoop/Test Achats in Belgium // Altroconsumo in Italy // Ocu in Spain // Deco Proteste in Portugal // Proteste in Brazil
Torfs - the well-known shoe retailer in Belgium - is still a 100% family business today. This family character guarantees a number of important values within the company where employees are central. A head office in Sint-Niklaas and a spectacular distribution center in Temse offer support to the points of sale and customers of the E-Commerce website. With more than 80 stores in Flanders, 2 shops in the French part of Belgium and a growing online shop in Belgium, The Netherlands and several marketplaces, Torfs wants to be and remain the most customer-friendly optichannel shoe store chain.
Spaargids is a Belgian website that offers financial guidance. We continuously provide our users with the latest information regarding saving, loans, insurance and many more financial topics. We take security very serious as many of our users rely on us when they have to take financial related decisions. Therefore we have decided to collaborate with ethical hackers that can inform us about potential vulnerabilities in our systems. If you happen to find a vulnerability we'd be more to happy to hear about it and, if it's impact is significant enough, award you a bounty as token of appreciation.
De Volkskrant is a Dutch daily morning newspaper. Founded in 1919, it has a nationwide circulation of about 250,000 papers per day.
OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. In this project, we request researchers to validate the security of two mobile authentication products (soft tokens), namely DIGIPASS for Mobile and the DIGIPASS App.
EU-FOSSA - Apache Tomcat
The Apache Tomcat software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process.
EU-FOSSA - Symfony
Symfony is a PHP web application framework and a set of reusable PHP components. Symfony and its components are used by many well-known websites and open source PHP projects such as Drupal, Composer, PHP Unit and eZpublish and are released under the MIT license. Together, with the European Commission as part of their Free and Open Source Software Audit (FOSSA) project, we’re running a limited time we will be a security bug bounty program worth up to 39,000 EUR. The aim is to encourage and reward security researchers and developers to look for security issues in Symfony, and then responsibly disclose those issues to us so that we can resolve them. This project is made possible by the generous funding of the European Commission who have given 39,000 EUR towards the project, and intigriti, their bug bounty platform partner. The bounty program will run from the 30th January 2019 until either the 15th October 2019 or until the budget is exhausted.
IAM KU Leuven
KU Leuven uses a central identity management platform to manage the accounts of its 32k employees and 115k students (up to 500k accounts known irrespective of access rights). Most of the web applications can be accessed via a central login system, which authenticates the user and communicates their identity and access rights to the web application. Recently KU Leuven introduced a strong authentication method named "KU Leuven authenticator" based on n-Auth technology. We challenge you to find the bugs in our IAM system! If you find any, we will be more than happy to pay the bounty!
Studio 100 was founded as a small TV production company back in 1996. We have pursued the same goal up until today: producing engaging content which is not only entertaining, but also educational for today’s children and their parents. Here at Studio 100, we believe that during childhood, children should blossom while having fun. From our TV series, live shows and theme parks to our online games and books, we aim to make great content accessible to a broad audience. As such, we have created a truly 360º approach to family entertainment combining a mix of global and local brands. On a global level, our main focus is currently on our three animated CGI series: Maya The Bee, Vic The Viking and Heidi. Alongside these brands we have important properties which thrive in local markets, such as Plop The Gnome, superheroine Mega Mindy and girls band K3. Studio 100’s success over the last seventeen years has provided us with a deep understanding of the market’s demand for quality family entertainment with characters who are easily related to and who resonate with today’s values. Our ongoing success is global. We work with international partners who share the same mission : making children’s dreams come true. Nothing more, nothing less. Welcome to our world!
EU-FOSSA - KeePass
KeePass is a free, open source, light-weight and easy-to-use password manager. You can store your passwords in a highly-encrypted database, which can only be unlocked with one master password and/or a key file. This project is part of the EU-FOSSA 2 project, where the European Commission sponsors selected open source software in running bug bounty programs to test and improve their security.
OneSpan Server Products
OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. In this project, we request researchers to validate the security of two server-side products, namely IDENTIKEY Authentication Server and IDENTIKEY Risk Manager.
Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.
Online enrollment for students
The online enrollments application allows students to apply for educational programs at the university or at university colleges. Every year approximately 40.000 applicants enter their personal information and educational preferences into this application. We challenge you to find the bugs in our online enrollment application.
At Base (a company of Telenet Group) we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, it is nevertheless possible that something will slip through the net. Should you discover a security problem, we have a system in place for you to report it to us in a responsible way. We are happy to have your help to improve our systems and protect our customers even better.
EU-FOSSA - GLIBC
The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
Since its establishment in 1999, Hardware Info has been informing consumers in the Netherlands and Belgium about computer hardware and consumer electronics. Part of Hardware Info is a leading test lab, where more than 1500 products are tested professionally every year. In the test lab, the editors of Hardware Info have professional testing equipment at their disposal in order to be able to give as professional an opinion as possible about products. Based on the test results, we publish extensive comparison tests, but also in-depth single product reviews. The PC Advice systems are, as far as possible, also put together based on well-tested products. Editorial independence is of paramount importance at Hardware Info: that is why the commercial exploitation of the website is strictly separate from the editors. In addition to the website, Hardware Info also appears as a magazine six times a year. Hardware Info has been part of De Persgroep Online Services B.V. since September 2016.
Brussels Airlines bookings
This project is focussing on the flight search and booking engine of Brussels Airlines
At Telenet we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, it is nevertheless possible that something will slip through the net. Should you discover a security problem, we have a system in place for you to report it to us in a responsible way. We are happy to have your help to improve our systems and protect our customers even better.
At intigriti, we practice what we preach. We’ve built the platform with the greatest care and attention for security, but all software contains bugs and we are not exception to this rule. We encourage you to responsibly disclose any security vulnerabilities they may encounter and will reward you accordingly.
Student Assessment System
The Student Assessment System (internally referred to as the Print&Scan application) is a tool for processing multiple choice exams. The inputs for the tool are a file containing user information, a file containing student's answers to the multiple choice exam and and the correct answers. After processing the files, the tool presents the user with some statistics about the exam, as wel as the calculated scores for the students. Each year about 1000 exams are processed using this tool, grading over 50.000 students. Since the results of this tool are used to determine whether students are able to graduate, it is important that it is secure. We challenge you to find the bugs in our Print&Scan tool.
The family and seasonal store has a spacious and diverse offer: from (outside) toys, multimedia and gifts about school supplies and sports accessories to children's bedrooms and decorative material. Dreamland inspires children from 0 to 14 year and their parents, family and friends and encourages them to play together. To make it even easier for online customers Dreamland integrated in the fall of 2016 it's new webshop in his website. That makes online shopping even easier, improves online search results and provides more visitors on the site.
Website + Android Apps + iOS Apps Android Apps KWS Companion The application is only to be used by doctors and no logon information will be given. mynexuz CPV The application is only to be used by personnel of UZ Leuven responsible for transport of patients and no logon information will be given. mynexuzhealth app This application is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below. iOS Apps KWS Companion The application is only to be used by doctors and no logon information will be given. Website mynexuzhealth website This website is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below. In order to be able to logon to the mynexuzhealth website and app, an ethical hacker will need to request one or more logon credentials via the platform. You can request this information via support (firstname.lastname@example.org). The information they will receive is - A user ID of 8 numbers - A PIN code of 4 numbers - A QRCode
KU Leuven - www.kuleuven.be
KU Leuven has a very diverse web landscape. Keeping this environment and the data it contains as secure as possible is an ongoing effort. We would like to invite you to help us in this effort. We are happy to have your help to improve the security of our systems .
Xtra digital key service
Xtra, is the Colruyt Group's customer card and digital key that automatically and immediately gets you all the Colruyt benefits, manage your loyality programs, your identity and relationship at 9 Colruyt stores and webshops. In order to be able to logon to Collishop website, an ethical hacker will need to request an Xtra logon credential via the registration platform.
Our website is a way to inform and inspire customers about the latest and brightest. It allows to: • Get up to date information about the movies and events we offer; • Choose your favorite movie theater, pick a date and time; • Buy tickets and enhance your experience by choosing for ‘cozy seat’ instead of our normal seats. Just in case you want to have a ‘cozy night’ with your significant other! Cry of laughter or maybe some scary movies are your favorite ones. Via a My Kinepolis account we target movies and unique promotions based on your preferences. While researching our website you can already explore our schedule and plan your next trip to one of our movie theaters. We are ready to be challenged!
Test-Aankoop / Test-Achats (& affiliates) - Finance advice sites
Test-Aankoop give independent advice to belgian consumers in several domains. In order to protect the Belgian customers, we need help to be as safe as possible as well and that's why we are asking for your support!
EU-FOSSA - WSO2
WSO2 is an open-source technology provider founded in 2006. It offers an enterprise platform for integrating application programming interfaces, applications, and web services locally and across the Internet. The European Commission has deployed an WSO2 API Gateway. It is already in production and used by multiple projects, we also plan to on-board more projects in the futur. A variety of web services will be handled through this API Gateway and as such its security and availability are of upmost importance. The current production environment consists of multiple nodes running the latest version of WSO2 API Manager (https://wso2.com/api-management/), which is Java application. The nodes are all running a Red Hat Enterprise Linux Server v7.4 (Maipo). You can find network architecture of the environment in the appendix. Vulnerabilities or bugs found by researchers that are in scope will be rewarded based on the level of severity. Please always keep in mind that in the event you manage to get access/find a bug/vulnerability it is asked not to do any further damage as this would be out of scope and considered a violation of privacy and be treated as such. Simply follow usual appropriate disclosure through this website. Thank you very much.
Dreambaby helps future and new mothers and dads take a good start as parents. The baby specialist distinguishes herself with her service, personal advice and coaching role. Dreambaby offers a complete and quality selection against competitive prices for children from 0 to 24 months.
The Suivo Web Platform provides access to Tracking data from vehicles equiped with Suivo hardware. The platform is built around 4 components: - Real-time Tracking data - Analytics based on historical Tracking data, both in a web view en generated reports - Communication: tasks and messages - Fleet management (Maintenance planning etc.)
ColliShop is a web shop from Colruyt Group. You will find more than 20,000 items for the whole family under 1 roof, for the sharpest prices: from toys to bath textiles and from garden furniture to kitchenware. Book easily and quickly, wherever and when you want it.
Help us to get better at what we do: Privacy & Security of convenient online identity. We want to make the web a better place for every Belgian citizen or resident with a Belgian Mobile Subscription. Apart from internal practices to ensure that what we bring to the market is already developed and tested to be secure, we want to raise the bar for ourselves by asking you to help us track down vulnerabilities. 'Responsible disclosure' and rewarding “Bug Bounty” for researchers provide an additional way for us to improve, where required, and we hope you help us be fast at it as well. If researchers like you notify us of any security threats before going public with the information this is a win-win. This gives us a chance to fix the issue before people with bad intentions become aware of it, and it provides you with a bounty for the work you put into it.
Arkane is a multi-blockchain wallet provider that builds an open network between individuals, ecosystems and dapps.
The access router is a router in the KU Leuven datacenter that ensures the connectivity between the KU Leuven network and its ISP. Suspected vulnerabilities in our access router that can be abused and can lead to: - Disruption of the proper operation of our equipment - Unauthorized access to, modification or deletion of configuration
eHealth Hub VZN KUL
The national project “eHealth Hubs & MetaHub” coordinated by the eHealth platform is meant to make medical results from hospitals (and in the near future medical laboratories) available to any caregiver who currently is treating the patient . For detailed information see https://www.ehealth.fgov.be/nl/zorgverleners/online-diensten/hubs-metahub and the URL in the next paragraph. This system supplements the traditional system of addressed ‘email type’ communication to individual referrers. Before medical data about a patient can be shared, that patient has to grant the ‘eHealth informed consent’ (see http://www.patientconsent.be ). Further, care providers declare a therapeutic relationship with the patient. Communication between the hubs and between external physicians and a hub is according to the KMEHR standard: https://www.ehealth.fgov.be/standards/kmehr/content/page/web-services The scope of this project is confined to the hub exploited by VZNKUL (Vlaams Ziekenhuis Netwerk KU Leuven) implementation of this hub system. The central metahub hub from the Belgian government, the other hubs, and the systems at other partners of this project are out of scope.
Delen Private Bank
Delen Private Bank is a family-based specialist in asset management, focused on wealth preservation, growth and careful planning. Our core values - entrepreneurship, personal service and long-term vision – inspire us to apply a proactive yet prudent investment philosophy. Honest, no-nonsense products and services help our clients to enjoy the good and beautiful things in life – both today and tomorrow.
Safety is and has always been the first priority in the aviation world. Our IT solutions are no exception to this rule. We are therefore actively looking for experienced test pilots. Are you willing to take our application in hard turns, dives and looping in order to identify any possible vulnerability? Just put on your jacket, go through our safety checklist, turn on the engines and you are ready to fly! Our engineering team is eager to hear your debrief after landing, and will make sure to address any flaw you might have noticed. Please allow them a grace period before disclosing your findings, as in return they will make sure to provide you feedback on their progress. Have a good flight
OneSpan Trusted Identity Platform
OneSpan (formerly known as VASCO Data Security) is a global leader in digital security with two-factor authentication, transaction data signing, document e-signature and identity management solutions designed for financial institutions, enterprises, healthcare institutions as well as government agencies. Trusted Identity Platform, or TID, is OneSpan's cloud-based platform that delivers security technologies to secure digital interactions. In this project, we request researchers to validate the security of the TID Developer Portal and the TID Microservices (Adaptive Authentication services).
EURid is the registry manager of the .eu, .ею (Cyrillic script) and .ευ (Greek script) country code top-level domains (ccTLD) upon the appointment of the European Commission in 2003. We take the security of our systems and services seriously to ensure the protection and privacy of our users and customers and the stability and availability of our services. Nevertheless, if you stumble upon an issue you consider a vulnerability, let us know as soon as possible following these guidelines. Do note that whenever we refer to the .eu namespace we imply all possible scripts which at this moment are .eu and .ею.
EU-FOSSA - Drupal
Drupal is a free and open source content-management framework written in PHP and distributed under the GNU General Public License. Drupal provides a back-end framework for at least 2.3% of all web sites worldwide. Systems also use Drupal for knowledge management and for business collaboration.
At sentiance we process enormous amounts of sentive data to provide our clients with rich insights & analytics used by them to optimize their business. All our products are built with security in mind and each feature has been carefully assessed to prevent security vulnerabilities to be introduced in our services. However, no security team is perfect and therefore we would like to call in the help of the bug bounty community to point out where we might have missed a bug. If you think you found a valid security vulnerability we would absolutely love to hear about it and award you if it's eligible per our policy.
Tweakers is a Dutch technology website featuring news and information about hardware, software and the Internet. We take security very serious as many of our users use our site as a trusted source. Therefore we have decided to collaborate with ethical hackers that can inform us about potential vulnerabilities in our systems. If you happen to find a vulnerability we'd be more than happy to hear about it and, if its impact is significant enough, award you a bounty as token of appreciation.
Nexuzhealth Web PACS
This website is used to provide patient access to their radiology images (PACS). Patients logon with their date of birth, and a unique code provided to them by the physician. This code provides access to one study.
WooRank is a super fast, super easy-to-use SEO audit and digital marketing tool (available in EN/FR/ES/DE/PT/NL). We look at millions of websites through Google’s eyes and generate an instant audit of the site’s technical, on-page and off-page SEO. Since we want to make the web a better place for everyone, we believe that protecting privacy and security should be a major concern for every individual or entity that is active on it. Therefore we dogfood that idea by asking you to help us track down vulnerabilities. We think that the practice of 'responsible disclosure' is the best way to clean the Internet one step at a time. It allows researchers like you to notify us of any security threats before going public with the information. This gives us a chance to fix the issue before people with bad intentions become aware of it.
EU-FOSSA - 7-Zip
7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as archives. It is developed by Igor Pavlov and was first released in 1999.
Colruyt is a family business from Lembeek, in the province of Flemish Brabant, and was founded more than 80 years ago. Today, the small company has developed into a family of companies: Colruyt Group. A successful player, active in 3 countries with numerous store formats.