Bug Bounty Programs
Below is a list of public bug bounty programs. Through a bug bounty program, companies can tap into a global network of ethical hackers who continuously test a wide range of digital assets within the defined scope.
Bug bounty programs reward ethical hackers with financial incentives when valid vulnerabilities are discovered.
Application Required
Sustainable
Doccle Bug Bounty program
Up to €4,000
Doccle, founded in 2014, is a Belgian company that hosts an online platform where you can receive, pay, share and store your administration in one place. You can add several suppliers to your Doccle account in a few mouse clicks. This way, you will receive all documents in one place. You can also pay, sign or share them via Doccle. All your documents are securely stored in your digital archive. The more companies you add, the more documents you will receive.
Application Required
Newpharma
€50 – €5,000
Newpharma is the largest online pharmacy in Belgium. It was the first to dispense medicines over the internet without a prescription in Belgium. Newpharma also offers you a broad range of drugstore products: cosmetics, natural and well-being products and specialist products for babies, children or the elderly at low prices throughout the year.
Important note: Please limit your automated tools to 1 request/sec. DDoS or brute force attacks are strictly forbidden!
Application Required
Arm
Up to $15,000
Arm is committed to security and welcomes feedback from researchers and the security community to improve its products and services.
The Arm Bug Bounty Program represents a partnership between Arm and the research community. At Arm, we value collaboration with security researchers as a critical step toward enhancing the security of our products. We encourage researchers to work with us to identify, mitigate, and responsibly disclose potential security vulnerabilities. We look forward to collaborating with you!
This program currently welcomes reports of vulnerabilities in certain versions of:
- Firmware: Mali Command Stream Frontend (CSF) Firmware 'CSFFW'
- Software: Mali GPU Kernel Driver (Kbase)
By submitting your report, you agree to the terms of the Arm Bug Bounty Program. Arm reserves the right to alter the terms and conditions of this program at any time and its sole discretion.
Sustainable
Visma
€100 – €7,500
Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies.
We want to engage with responsible security researchers around the globe to further secure our services. No code is flawless and we believe that taking part in the Intigriti community can help us improve the security of our systems.
Sustainable
The Coca-Cola Company Vulnerability Disclosure Program
Responsible Disclosure
The Coca-Cola Company is proud of our researcher community and the impactful findings they have provided over the years. We are bringing our VDP program to Intigriti to further our community growth and provide some exciting changes around our VDP reward structure.
For more information about VDP rewards, please see the FAQ section below.
Uphold
Up to €6,000
Uphold is a global digital financial platform that enables users to buy, sell, and trade a wide range of assets, including cryptocurrencies, traditional fiat currencies, and precious metals. Operating in 140+ countries and supporting 300+ assets, Uphold provides secure multi-asset trading, instant transactions, and enterprise financial solutions.
As a blockchain business, trust and security are fundamental to our success. Our reputation and brand image depend on maintaining the highest security standards, which is why security is a top priority at Uphold. This bug bounty program is a key part of our commitment to proactively identifying and mitigating security risks before they can impact our users or financial systems.
As a researcher, you will be analyzing Uphold’s web applications, APIs, and mobile platforms, which facilitate multi-asset trading, financial transactions, and account management. Your contributions will help protect user funds, ensure transaction integrity, and enhance authentication security in a highly regulated financial environment.
Review the program scope, rules of engagement, and testing guidelines carefully before submitting a report. We reward well-documented, high-impact security findings that strengthen the safety of our platform and uphold the trust of our users.
Exact Vulnerability Disclosure Program
Responsible Disclosure
Exact
Exact is the business software market leader in the Benelux. We are the go to provider for companies looking to automate their accounting, financial, ERP, HRM and CRM processes. We also offer a range of industry specific solutions to fully manage all of your business processes needs.
Exact Online (Premium), is currently in an invite-only Bug Bounty Program.
For a Complete view on Exact Products - https://www.exact.com/products & https://www.exact.com/products/accountancy
Rivian Bug Bounty
$100 – $5,000
Rivian exists to create products and services that help our planet transition to carbon neutral energy and transportation. Rivian designs, develops, and manufactures category-defining electric vehicles and accessories and sells them directly to customers in the consumer and commercial markets. Rivian complements its vehicles with a full suite of proprietary, value-added services that address the entire lifecycle of the vehicle and deepen its customer relationships.
Kiwa Vulnerability Disclosure Program
Responsible Disclosure
Kiwa is an autonomous global organization in Testing, Inspection and Certification (TIC), training and consultancy services. We create trust by contributing to the transparency of the quality, safety and sustainability of your organization’s products, services, processes, systems and employees, as well as personal and environmental performance. You have the ambition and we help you to go forward!
Sustainable
Visma Responsible Disclosure
Responsible Disclosure
Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies.
We want to engage with responsible security researchers around the globe to further secure our services. This program is dedicated for all Visma assets (services, products, web properties).
Intergamma
€50 – €5,500
Intergamma is the biggest DIY retailer of The Netherlands and Belgium with three brands: GAMMA Nederland, GAMMA België, and KARWEI. We have almost 400 DIY stores and operate three eCommerce websites.
Our strategy is to be the best omnichannel retailer of the Netherlands and Belgium. This means offline and online are converging, and eCommerce is a growth market. Therefore a secure platform is paramount.
For more information on our organization please visit https://www.intergamma.nl/
Capital.com
Up to €15,000
Capital.com, voted ‘Most Innovative Tech 2021’ by TradingView is a multi-award winning global investment trading platform authorised and regulated by the UK’s Financial Conduct Authority, the Cyprus Securities and Exchange Commission, and the Australian Securities and Investments Commission. Recognised for its quality 24/7 customer support, seamless trading experience and competitive fees, Capital.com is a fast-emerging leader in the European leveraged trading industry.
Sustainable
intigriti
€50 – €13,337
At intigriti, we practice what we preach. We’ve built the platform with the greatest care and attention for security, but all software contains bugs and we are no exception to this rule. We encourage you to responsibly disclose any security vulnerabilities you may encounter and we will reward you accordingly.
Water-Link
€50 – €5,000
All life needs water.
Both people, their company and their environment must at all times have water in the right quantity, of the right quality, at the right time. This water must be supplied within the safety of well-thought-out infrastructures for supply and discharge of water.
Water-link wants to inspire everyone to fully tap into the strengths of water.
Water-link is a Flemish public organisation that directly or indirecty provides drink water to more than 3 million people.
Universitätsspital Zürich VDP
Responsible Disclosure
VULNERABILITY DISCLOSURE PROGRAM (VDP)
Above all else, University Hospital Zurich is committed to the care and improvement of human life. Part of that mission is to protect our patients, people, systems, and facilities. We want encourage security researchers to feel comfortable reporting vulnerabilities they’ve discovered to us in good faith.
Grafana Labs
$10 – $15,000
Grafana Labs is the company behind Grafana, Loki, Mimir and Tempo, the leading open source software for visualizing operational data.
We are thrilled to invite you to participate in our bug bounty program in partnership with Grafana Labs' security team. Before beginning your research, we kindly request that you carefully review this program's scope. This will ensure that your efforts align with our objectives and that you receive proper compensation for any findings that meet the program's criteria. Happy hacking!
Orbia Responsible Disclosure
Responsible Disclosure
Orbia is a purpose-led manufacturing group of companies, passionate about the challenges that define how people will live and thrive tomorrow to deliver strategic, collaborative, and human-centered solutions. As part of our commitment to security, we invite researchers to participate in the disclosure program, helping us ensure protection of our systems.
Join us in identifying and reporting vulnerabilities to maintain the highest standards of security for our customers and partners.
Humo
€25 – €2,200
Humo brings high-profile cover stories and revealing interviews and files. And that with a characteristic approach: reliable information, a critical attitude and a sense of humor and self-relativity. The reader is treated every week on articles about television, society, sports, culture and pop, sharp columns and quirky discussions of TV programs, books, films and music.
Voi Scooters
Up to €3,500
Voi is europe's biggest micro-mobility operator based in Stockholm, Sweden. We manage a system of electrically powered scooters and bikes around urban centers. We provide an affordable, sustainable, and exhilarating way to commute while helping people to reduce their carbon footprint and cities to have a more sustainable transportation network. We are excited to work with and reward the community of security researchers to continuously improve our security position.
RIPE NCC
Up to €2,000
We're an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical coordination in our service region. Our most prominent activity is to act as the Regional Internet Registry (RIR) providing global Internet resources and related services (IPv4, IPv6 and AS Number resources) to members in our service region.
Speakap Responsible Disclosure
Responsible Disclosure
Since 2010, Speakap has helped more than 400 companies across 120 countries, 42 languages, and many time zones, reach their full potential with more productive employees. With an award-winning, easy-to-use employee app, Speakap empowers company leaders to share the right content with the right people at the right time. Speakap boasts very high adoption rates with users logging in almost 6x a day for 50+ seconds per time.
Driessen Vulnerability Disclosure Program
Responsible Disclosure
Driessen is a staffing agency for government, education and other vital sectors. We have been working exclusively for vital sectors for 30 years, making us one of the largest staffing agencies in the Netherlands. On our platform users can manage their jobs and employees (for employers). For example: candidates can find jobs and apply; employees can see payslips and send in declarations; employers can open a new job with a new vacancy or a payroll request.
TrueLayer
€75 – €6,000
TrueLayer is opening up finance and changing the way the world pays. Empowering businesses in every industry to create first-class financial experiences for their customers.
We build on top of the Open Banking and PSD2 standards to provide APIs for our customers to use to provide financial data and payment initiation services.
House of HR Vulnerability Disclosure Program
Responsible Disclosure
House of HR is a leading HR services group active all over Europe. Our entrepreneurial spirit drives us to provide specialized solutions in two key segments: Specialized Talent Solutions and Engineering & Consulting. Our decentralized model empowers rapid decision-making across our Powerhouses.
If you find a security bug in one of our apps, this is the place to report it!
Happy hunting! 🏹
Housing Application (huisvestingsapp) Bug Bounty Program
Up to €2,000
At KU Leuven, we are committed to ensuring the integrity of our Housing Application Program. This program allows both new and returning students to apply for a room in KU Leuven Central Services Residences, helping them find the right accommodation.
As with all our platforms, we recognize that vulnerabilities can exist, and we encourage researchers to report any security issues they may discover within this application. If you identify a vulnerability while using the application, please follow our disclosure guidelines to report it safely and responsibly.
Your contributions help us maintain a secure and seamless experience for all students!
Bühler Group VDP
Responsible Disclosure
Every day, billions of people come into contact with Bühler technologies to meet their basic needs for food, mobility, and more. Our technologies are in your smartphone, solar panels, diapers, lipstick, banknotes, the food you eat, and the vehicles you drive. We strive to innovate for a better world, with a special focus on healthy, safe, and sustainable solutions.
Learn more about Bühler at www.buhlergroup.com.
Veriff Bug Bounty
€5 – €6,000
At Veriff we are passionate about creating a safer environment online. Our mission is to bring transparency to the digital world.
We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We ask all researchers to follow the guidelines provided.
Monzo Public Bug Bounty Program
£125 – £12,500
Welcome to the Monzo public bug bounty program! 🚀
At Monzo we aim to create a banking service that makes our customers financial lives better and easier. Our mantra is “make money work for everyone” and we mean it! 👍
We have created several apps to provide intuitive, helpful, and enjoyable experiences across our range of products 💖.
We won’t sacrifice security though! So if you find a security bug in one of our apps or services, this is the place to report it!
Happy hunting!
Sustainable
Sqills
Sustainable
eHealth Hub VZN KUL
Up to €2,000
The national project “eHealth Hubs & MetaHub” coordinated by the eHealth platform is meant to make medical results from hospitals (and in the near future medical laboratories) available to any caregiver who currently is treating the patient . For detailed information see https://www.ehealth.fgov.be/nl/zorgverleners/online-diensten/hubs-metahub and the URL in the next paragraph. This system supplements the traditional system of addressed ‘email type’ communication to individual referrers.
Before medical data about a patient can be shared, that patient has to grant the ‘eHealth informed consent’ (see http://www.patientconsent.be ).
Further, care providers declare a therapeutic relationship with the patient.
Communication between the hubs and between external physicians and a hub is according to the KMEHR standard: https://www.ehealth.fgov.be/standards/kmehr/content/page/web-services
The scope of this project is confined to the hub exploited by VZNKUL (Vlaams Ziekenhuis Netwerk KU Leuven) implementation of this hub system. The central metahub hub from the Belgian government, the other hubs, and the systems at other partners of this project are out of scope.
OVO VDP
Responsible Disclosure
Who is OVO?
- We launched in 2009 with a belief that energy could be better. We’re helping UK homes on the Path to Zero. https://www.ovoenergy.com/about
What do we do?
- OVO is a leading energy technology company determined to create a world with clean, affordable energy for everyone.
Relationship to bug bounty?
- No technology is perfect and OVO believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
Personio
€50 – €5,000
Personio is Europe's leading HR Software for SMEs - your one-stop HR solution with automated processes, seamless integrations, and data-driven insights. Our Security Team knows that a solid Bounty Program helps build customer trust in our platform. So we are looking forward to working with you to help hold our platform up to the highest of standards.
Lansweeper Bug Bounty Program
€50 – €6,000
Lansweeper is an IT asset management software provider helping businesses better understand, manage and protect their IT devices and network. Lansweeper helps customers minimize risks and optimize their IT assets by providing actionable insight into their IT infrastructure at all times, offering trustworthy, valuable, and accurate insights about the state of users, devices, and software.
InnoGames
€50 – €4,500
InnoGames (www.innogames.com) is one of the leading German developers and publishers of mobile and browser games and a certified Great Place to Work®. The climate-neutral company based in Hamburg was founded in 2007 and is now part of Modern Times Group (MTG). Together with 350+ employees from over 40 nations, the company founders develop unique games that provide many years of fun for millions of players around the world. InnoGames is best known for Forge of Empires, Elvenar and Tribal Wars, but the company is continually expanding its now 10-game portfolio across platforms and genres. Most recently, InnoGames launched Heroes of History, a novel combination of city-building and hero-collection.
DHL Group Vulnerability Disclosure Program
Responsible Disclosure
DHL Group is a global logistics company providing services in express delivery, freight transportation, supply chain management, e-commerce solutions, as well as postal and parcel services. As part of our commitment to security, we invite researchers to participate in our vulnerability disclosure program, helping us ensure protection of our systems. Join us in identifying and reporting potential vulnerabilities to maintain the highest standards of security for our customers and partners.
Yahoo Bug Bounty
$100 – $15,000
Welcome to Yahoo
Yahoo is a global media and advertising company connecting people to their passions. With one of the largest online audiences in the world, Yahoo brings people closer to what they love — from finance and commerce, to gaming and news — with the trusted products, content, and tech that fuel their day. For partners, we provide a full-stack platform to amplify businesses and drive more meaningful connections across advertising, search, and media.
De Morgen
€25 – €2,200
De Morgen has a broad view of the news with attention to political current affairs, culture and media. The editors are critical, dig deeper and often make the news of the day under the motto more insight, more salmon.
De Morgen is aiming for an open-minded audience that is looking for qualitative news coverage, background and interpretation of the news. The newspaper looks young and fresh and has won international prizes with its design.
Het Laatste Nieuws
€25 – €2,200
HLN.be is the number one news site in Flanders. 24/7 news with a focus on current events, sports and entertainment. The editors know how to keep their finger on the pulse at all times: on average every 4 minutes a new article appears on the news site. Readers consume their news more and more fragmented through their social media, so it is important for HLN to stay top of mind with its own app.
ING Responsible Disclosure
Responsible Disclosure
Responsible Disclosure indicates ING’s continued commitment to improve its security posture. As part of this process, we work closely with security researchers to identify and report vulnerabilities they find within our systems.
ING appreciates security researchers efforts in reporting vulnerabilities on its systems as long as the discovered vulnerability is in scope, detected without the use of intrusive testing techniques, and follows the disclosure guidelines below:
Social Deal
€25 – €750
Thank you for visiting our program, we are happy with ethical hackers who want to look have a into our security with an objective view.
Social Deal is an online platform for consumers to buy the best deals in their region. With these deals they can discover restaurants/hotels/beauty/zoo and many other retailers for the best price. Social Deal is active in Netherlands, Belgium and Germany.
Our customers trust our brand. We want to be sure the data is protected to keep our brand value high.
Torfs
€25 – €6,500
Torfs - the well-known shoe retailer in Belgium - is still a 100% family business today. This family character guarantees a number of important values within the company where employees are central. A head office in Sint-Niklaas and a spectacular distribution center in Temse offer support to the points of sale and customers of the E-Commerce website. With more than 80 stores in Flanders, 2 shops in the French part of Belgium and a growing online shop in Belgium, The Netherlands and several marketplaces, Torfs wants to be and remain the most customer-friendly optichannel shoe store chain.
Arbonia VDP program
Responsible Disclosure
We are happy to relaunch our public VDP program! We've done our best to clean up our issues and now would like to request your help to spot the ones we missed!
We start with just a few domains and want to continously increase our scope at regular intervals. So keep checking this page from time to time to see if there is anything new to find.
⚠️ Only submissions that follow the Rules of Engagement (e.g., using an intigriti.me email) and are not Out of Scope will be considered valid. Actions like mail bombing, denial of service, changing/removing data or parameters, or interfering with asset functionality are strictly forbidden and not protected by the safe harbor clause. Always aim to prevent harm, review all relevant sections before starting and follow the rules of engagment.
Arbonia is one of the world's leading interior brands for doors, showers, and dividing systems made from wood, glass and metal. The company, which is listed on the SIX Swiss Exchange, is active as a leading supplier in Western, Central, and Eastern Europe with its own distribution companies. Its main production sites are located in Switzerland, Germany, Poland, Spain, Czech Republic, Portugal, and France. A total of around 3'700 employees work for the Arbonia.
Tomorrowland
Up to €2,500
Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.
Online enrollment for students Bug Bounty Program
Up to €2,000
Our Online Enrollment for Students Application allows students to apply for educational programs at the university or university colleges. Each year, approximately 40,000 applicants enter their personal information and educational preferences through this platform.
As with all of our systems, we strive to maintain a secure and seamless experience. We invite researchers to challenge the security of our Online Enrollment for Students Program by identifying and reporting any vulnerabilities they may find. Your contributions help us protect the sensitive information of our applicants and ensure the integrity of the enrollment process.
Axel Springer SE Vulnerability Disclosure Program
Responsible Disclosure
Axel Springer SE, headquartered in Berlin, is a leading digital publisher known for its wide range of news outlets, magazines, and classifieds. Embracing digital innovation and transformation, the company prioritizes data protection and system integrity.
To bolster its digital ecosystem's security, Axel Springer runs a vulnerability disclosure bug bounty program, encouraging cybersecurity experts to find and report vulnerabilities in its digital environment.
CM.com
€25 – €3,500
CM.com is a listed company that provides Conversational Commerce services from its hybrid cloud platform with in-house developed software.
CM.com’s customer base is spread over 118 countries, generating messages to more than 220 destinations.
Customers include Tier 1 enterprises, government agencies, as well as small and medium sized enterprises.
We offer API's for most of our products. You may find the documentation here: https://developers.cm.com
Delen Private Bank
€100 – €15,000
Delen Private Bank is a family-based specialist in asset management, focused on wealth preservation, growth and careful planning. Our core values - entrepreneurship, personal service and long-term vision – inspire us to apply a proactive yet prudent investment philosophy. Honest, no-nonsense products and services help our clients to enjoy the good and beautiful things in life – both today and tomorrow.
Sustainable
UZ Leuven
€50 – €5,000
UZ Leuven is a university hospital where patients can count on specialised care and innovative treatments, combined with humane attention and respect for every person.
Every day, almost 10,000 passionate employees provide the best possible custom-made care.
Future care providers and employees receive high-quality training in UZ Leuven, with a view lifelong learning and innovation. As a pioneer in clinical research, the hospital also contributes to future patient care.
Red Bull
Responsible Disclosure
Red Bull appreciates the work of security researchers to make the internet a better - and more secure - place. Even though we aim to prevent security issues by applying state-of-the art development and operations processes, systems and technical services outside our direct control might have vulnerabilities and weaknesses and we aim to identify and address those before any negative impact occurs.
As appreciation we have a unique reward system in place, please see FAQ for more information.
KU Leuven Responsible Disclosure Program
Responsible Disclosure
At KU Leuven, we are committed to maintaining high standards of security for our systems and user data. We value the research and expertise of security researchers and ethical hackers who help us identify potential vulnerabilities before they can be exploited. Therefore, we would like to invite you to help us in this effort.
Our Responsible Disclosure Program allows working closely with security researchers to identify vulnerabilities. By participating in our program, you are helping us maintain the security and integrity of our systems, ensuring a safer experience for all. KU Leuven appreciates the effort and commitment of all contributors, as long as the vulnerability is within scope, is detected without intrusive testing, and follows the disclosure guidelines.
Thank you for your contribution to our security!
Note: We may award a bonus if we determine that a serious vulnerability has been discovered and the quality of the report meets our standards for thoroughness and clarity.
Recent Bonus Awards:
- 2022: €2000
- 2023: €2500
Wolt
€100 – €3,500
We provide a platform for:
- Businesses to sell products (like food, clothing and even electronics).
- Customers to purchase such products and get them delivered by Wolt couriers.
- Wolt couriers to receive and manage delivery requests.
We have more than 30 million registered users and we operate in 20+ countries. Read more about us: https://wolt.com/en/about.
Zabka Group Vulnerability Disclosure Program
Responsible Disclosure
Żabka Group is the ultimate convenience ecosystem that aims to make people’s lives easier. We accompany consumers at every moment of the day, freeing up their time through the possibility of convenient grocery shopping, have a hot meal on the go, send a package, withdraw cash or take advantage of a dietary catering with delivery.
We are aware, that despite our greatest efforts, our knowledge may not be sufficent to keep us safe. Therefore we started our vulnerability disclosure program because we believe that working closely with skilled security researchers is beneficial to for all parties.
Cyber Security Coalition
Responsible Disclosure
The Cyber Security Coalition is a unique partnership between players from the public and private sector to join forces in the fight against cybercrime. We are bringing together the skills and expertise of members on a trust-based platform. A lot of information is publicly available on our website but there is also protected data not publicly viewable. We are a reference in security and it is obvious that our website should be secure! We are happy to have your help in finding any vulnerabilities!
9altitudes - Vulnerability Disclosure Program
Responsible Disclosure
The 9altitudes Vulnerability Disclosure Program (VDP) program to review no-bounty assets.
9altitudes is a European player with the main office in Belgium providing digital transformation for our customers focused on 3 main industry clusters – manufacturing, services, and wholesale & distribution. As a Microsoft Gold partner, we are mostly Microsoft-oriented with some own-IP and are an ever-expending organization by way of merge & acquisition.
Sustainable
Nexuzhealth
Up to €4,000
Website + Android Apps + iOS Apps
Android Apps
KWS Companion
The application is only to be used by doctors and no logon information will be given.
mynexuz CPV
The application is only to be used by personnel of UZ Leuven responsible for transport of patients and no logon information will be given.
mynexuzhealth app
This application is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below.
iOS Apps
KWS Companion
The application is only to be used by doctors and no logon information will be given.
Website
mynexuzhealth website
This website is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below.
In order to be able to logon to the mynexuzhealth website and app, an ethical hacker will need to request one or more logon credentials via the platform. You can request this information via support (support@intigriti.be). The information they will receive is
- A user ID of 8 numbers
- A PIN code of 4 numbers
- A QRCode
Digitaal Vlaanderen
Responsible Disclosure
"Digitaal Vlaanderen" is the IT and digital transformation departement within the Flanders’ governmental IT. Positioned as the digital gateway and data broker between all Flemish government entities, we want to be at the top of our game. Our security ought to be too. For this program we are focusing at first instance on some of our main assets.
BMW Group Automotive
€100 – €15,000
The BMW Group looks forward to working with the security community to find vulnerabilities in order to keep its products and customers safe and secure. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program and marked as “Eligible”. Please take note of the current scope outlined below.
BMW Group
€150 – €6,000
With its four brands BMW, MINI, Rolls-Royce and BMW Motorrad, the BMW Group is the world’s leading premium manufacturer of automobiles and motorcycles and also provides premium financial services. Our vehicles and products are tailored to the needs of our customers and constantly enhanced. We place special emphasis on the security, integrity and availability of our data and systems and thus also on those of our customers, employees and partners.
RGF BE - VDP
Responsible Disclosure
RGF Staffing Belgium is part of global player RGF Staffing, one of the world's largest HR services providers, with activities in Australia, Asia, Europe and North America. With a focus on digital platforms, we allow our candidates & customers using selfservice solutions we provide. As an HR company, a lot of PII-data is managed internally. We want to be an example within the market to guarantee the confidentiality of our data, following the highest information security & privacy standards.
Venly
€50 – €5,000
Venly is a blockchain technology company providing developer-friendly solutions to help businesses seamlessly integrate Web3 capabilities into their applications. Our mission is to make blockchain accessible for everyone by offering secure, scalable, and easy-to-use tools for developers, enterprises, and end users.
With a strong focus on user experience, security, and innovation, Venly delivers a suite of blockchain infrastructure solutions, including:
* Venly Wallet – A secure, multi-chain digital wallet solution with a user-friendly UI and developer API for seamless blockchain asset management.
* Venly NFT Tools – A complete NFT suite enabling brands and game developers to integrate digital collectibles effortlessly.
* Venly Onboarding Solutions – Secure authentication and blockchain identity solutions that simplify Web3 adoption.
Venly’s enterprise-grade security and compliance standards ensure businesses can safely leverage blockchain technology while maintaining top-level security and regulatory alignment. Our tools are trusted by global brands, gaming studios, and financial institutions to power next-generation decentralized applications.
This program focuses primarily on Venly Wallet UI and Wallet API, which provide secure and accessible blockchain wallet solutions for businesses and users worldwide.
Tweakers
€50 – €2,200
Tweakers is a Dutch technology website featuring news and information about hardware, software and the Internet. We take security very serious as many of our users use our site as a trusted source. Therefore we have decided to collaborate with ethical hackers that can inform us about potential vulnerabilities in our systems. If you happen to find a vulnerability we'd be more than happy to hear about it and, if its impact is significant enough, award you a bounty as token of appreciation.
Kinepolis Group
Up to €5,000
Our website is a way to inform and inspire customers about the latest and brightest. It allows to:
• Get up to date information about the movies and events we offer;
• Choose your favorite movie theater, pick a date and time;
• Buy tickets and enhance your experience by choosing for ‘cozy seat’ instead of our normal seats. Just in case you want to have a ‘cozy night’ with your significant other!
Cry of laughter or maybe some scary movies are your favorite ones. Via a My Kinepolis account we target movies and unique promotions based on your preferences.
While researching our website you can already explore our schedule and plan your next trip to one of our movie theaters. We are ready to be challenged!
Sustainable
Port of Antwerp-Bruges
€50 – €4,500
The Antwerp-Bruges Port Authority has a key role in the port's day-to-day operation. The Port Authority manages and maintains the docks, the bridges, the locks, the quay walls and the land. The personnel is also responsible for safe shipping traffic in the docks, the bridges and locks. In addition, the Port Authority provides tugs and cranes, carries out dredging work and promotes the port at home and abroad.
Sixt
Responsible Disclosure
With more than 6,900 employees worldwide, SIXT combines global car rental and local share solutions, ride hailing-services as well as car subscriptions in one of the world’s largest mobility platforms. With just one app – the SIXT App – we offer our customers digital access to more than 200,000 vehicles and around 1.5 million connected drivers in approximately 110 countries worldwide. Besides its own range of vehicles, SIXT also integrates services from more than 1,500 mobility partners.
Citymesh Responsible Vulnerability Disclosure Program
Responsible Disclosure
Welcome to the Responsible Vulnerability Disclosure Program of Citymesh.
Citymesh is one of the Telecommunication Operators in Belgium. Citymesh helps its customers with the implementation, integration, and maintenance of network infrastructure. Citymesh wants to offer its customers quality connectivity solutions that help them achieve their business goals.
Aikido Security: Bug Bounty Program
€50 – €2,500
Aikido Security is an automated application security platform designed specifically for software engineering teams.
We secure your entire stack - code, open-source dependencies, infrastructure, and more and integrate into your existing workflows to provide visibility and control across your entire application infrastructure.
SimScale
€50 – €6,000
SimScale enables engineering teams to access accurate and fast simulation, on their terms, without compromises. We make engineering simulation technically and economically accessible from everywhere, at any time, and at any scale, in the cloud. We deliver instant access to fluid, thermal, and structural simulation to over 300,000 users. With SimScale, engineering simulation has moved from a complex and cost-prohibitive desktop application to an inclusive, agile, cloud-native simulation platform.
Signicat Responsible Disclosure
Responsible Disclosure
Signicat is Europe's leading provider of digital identity solutions.
Our mission is to enable trust in the digital world by providing secure, seamless, and compliant identity solutions. We empower businesses and individuals to verify, authenticate, and manage identities with confidence—ensuring trust at every step of the customer journey, from onboarding to offboarding.
Axel Springer National Media & Tech
€15 – €2,500
AS National Media & Tech (NMT) is a subsidiary of Axel Springer SE, a leading international media company. We develop and operate digital products for Germany’s top news brands, reaching over 50 million users each month.
At Axel Springer, we stand for free journalism and unrestricted access to information, allowing people to make free decisions. To protect this, the security of our platforms and users is our top priority. Your contributions help us keep them safe.
Allegro
€100 – €3,500
Allegro sp. z o.o. (hereinafter referred to as “Allegro”) is a leading online marketplace platform in Poland offering a wide range of products across various categories. Allegro provides a secure, user-friendly interface for customers to shop and sellers to list their items.
At Allegro we take security seriously and we believe that working with skilled security researchers is crucial in identifying weaknesses. If you have found a security issue in our service, we encourage you to notify us.
WP Engine Bug Bounty
Up to €2,500
Welcome! WP Engine invites you to evaluate our products and platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!
Sustainable
Suivo bug bounty
Up to €2,000
The Suivo Web Platform provides access to Tracking data from vehicles equiped with Suivo hardware. The platform is built around 4 components:
- Real-time Tracking data
- Analytics based on historical Tracking data, both in a web view en generated reports
- Communication: tasks and messages
- Fleet management (Maintenance planning etc.)
Revolut VDP
Responsible Disclosure
Revolut is a financial technology company that offers banking services. It offers accounts featuring currency exchange, debit cards, virtual cards, interest-bearing "vaults", commission-free stock trading, crypto, commodities, and other services to over 50M customers.
Please visit our website for more information: www.revolut.com
Mobile Vikings
Up to €5,000
True Vikings never entered the battlefield without their helmets. And we believe a secure environment, just like free access to open communication, is a worldwide human right. But even the best Viking Drakkars may sometimes encounter vulnerabilities. Brave sailors who discover leaks should be honored - not executed. Together with you and our broad community, we want to create a secure and safe environment for everyone.
Fing Bug Bounty Program
€50 – €3,500
Fing device recognition is the foundation of digital products. Just from the MAC address, Fing can recognise all wireless and wired devices in home, office or enterprise networks by type, make, model and OS (name and version). Fing device intelligence and knowledge give you full visibility of your connected environment.
The free Fing App identifies connected devices, troubleshoots network and device issues, detects network intruders and runs Wi-Fi and internet speed tests anywhere.
Donorbox VDP
Responsible Disclosure
Donorbox is a technology company established in 2014. The company provides an online fundraising platform enabling individuals and nonprofit organizations to facilitate online donations. The platform is utilized by various types of organizations, including charities, religious institutions, schools, animal welfare groups, political campaigns, among others.
Skoda Auto Bug Bounty Program
€200 – €5,000
This Bug Bounty program is an official and first program run by Škoda Auto a.s.
It is focused on the newest version of MyŠkoda mobile application available for iOS and Android.
We appreciate the possibility to work with you either remotely or by joining us at the factory and testing the app within our cars!
In advance, we thank you for your time and invite you to step into the era of a proactive approach to cyber security together!
Škoda Auto a.s.
Henkel
Responsible Disclosure
Henkel operates globally with a well-balanced and diversified portfolio. The company holds leading positions with its three business units in both industrial and consumer businesses thanks to strong brands, innovations and technologies. Founded in 1876, Henkel looks back on more than 140 years of success. Henkel’s preferred shares are listed in the German stock index DAX.
SBB - Swiss Federal Railways
€25 – €5,000
SBB operates Switzerland's national railway network, providing passenger and freight transportation services.
Welcome to our public Bug Bounty program.
We are specifically looking for:
* Leaking PII Data (customer)
* Data manipulation
High performance researcher may be invited to our private programs!
Sustainable
Here Technologies
Up to €2,000
HERE Technologies, is a global company that’s rooted in the evolution of digital maps and location technology. We offer a location data and technology platform, that moves people, businesses and cities forward by harnessing the power of location. The HERE platform caters to a variety of tasks related to bringing your own data, map, service, logic and algorithms for location enrichment.
Canada Post + Purolator - Responsible Disclosure Program
Responsible Disclosure
Canada Post is the country’s leading provider of business-to-consumer delivery. Reaching more than 16.2 million addresses, and operating the country’s largest retail network of over 6,200 post offices.
Purolator is Canada’s leading integrated freight, parcel and logistics solutions provider. Purolator continues to expand its reach and renowned service levels and reliability to more people, more businesses and more places across the country and around the world.
Azena
Responsible Disclosure
We are an award-winning German startup with locations in Munich, Eindhoven and Pittsburgh. We are 100% funded by the Bosch Group.
Our goal is to be the leading open platform and marketplace for smart security and safety solutions. The platform we offer is based on a camera operating system that powers cameras from various manufacturers on the market. It connects to our Application Store where leading video analytics development companies offer cutting-edge apps.
WP Engine VDP
Responsible Disclosure
WP Engine invites you to test the WP Engine and Flywheel Digital Experience Platforms. WP Engine equips its customers with a suite of agility, performance, intelligence, and integration solutions, so you can build and deploy a range of online experiences from campaign sites to content hubs to e-commerce extensions. Good luck and happy hunting!
De Lijn
Responsible Disclosure
De Lijn is the Flemish public transportation company dedicated to giving their customers a comfortable and quick ride. Due the fact that we use the latest IT equipment and servers is our security ought to be at the top of our game. For this program we are putting the focus at our web clients, APIs and of course the mobile application.
Aikido Security: Zen by Aikido
€100 – €3,500
Zen by Aikido is an embedded security engine for autonomously protecting applications against common web attacks, like shell injection and SQL injection. We do so by hooking into sinks, validating them together with the incoming user input and in case the request is malicious, we block the request. It's similar to a traditional WAF, but with the full context of the called code and the user's input.
e-tracker
Responsible Disclosure
This is an application which is accessed by bpost contractual customers like Amazon, zalando who can login and track the parcels history which was announced by them to bpost for handling.
Only the specific logged in senders can view thier own parcel status, not cross sender accounts.
Ninja Kiwi Games Bug Bounty program
€75 – €4,125
Creators of hit computer game franchises Bloons, Bloons TD and SAS: Zombie Assault for mobile and web. We have offices in Auckland, New Zealand and Dundee, Scotland. We are excited to engage with the security community to help us keep our users safe and our services secure. This is our second Bug Bounty program after a successful campaign in 2021.
Nestlé VDP
Responsible Disclosure
In Nestlé we believe in the power of food to enhance quality of life for everyone, today and for generations to come.
IT Security is a top priority for us, we are committed to work with security researchers across the globe to help protect our systems and our customers' data from malicious activity and to further improve cyber security across our organization.
HRS Group VDP
Responsible Disclosure
As a pioneering force in the business travel sector, our company has redefined the landscape of corporate lodging and travel management through our innovative Lodging-As-A-Service platform. We facilitate seamless and secure experiences in lodging procurement, workspace management, and financial transactions for our global clientele. In an era marked by rapid technological advancements and stringent data protection standards, our commitment to maintaining robust information security is not only a regulatory mandate but a cornerstone of our customer trust and business excellence.
Our purpose is to revolutionize the business travel experience through our Lodging-As-A-Service platform, providing seamless, secure, and efficient lodging management, workspace solutions, and payment processing for businesses operating globally.
PDQ bug bounty program
€50 – €3,500
At PDQ our mission is to make device management simple, secure, and pretty damn quick. We know how important the security of our products is. We're a bunch of former sysadmins ourselves. Every decision we make revolves around ensuring our products are safe to use for managing your devices, which is why we have a bug bounty program. It’s a true win-win: We improve the security of our products, and you reap the rewards.
DataCamp
€25 – €1,500
DataCamp’s mission is to democratize data skills for everyone. Companies and teams of every size use DataCamp to close their data skill gaps and make better data-driven decisions. Data science and analytics are rapidly shaping every aspect of our lives and our businesses. There is incredible power in data—but only if you know what to do with it. DataCamp teaches 1,600+ companies and 7 million individuals from 180+ countries the skills they need to work with data in the real world.
PeopleCert VDP
Responsible Disclosure
PeopleCert is the global leader in the assessment and certification of professional and language skills, partnering with multi-national organisations and government bodies to develop and deliver market leading exams worldwide.
This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities.
Intel®
$500 – $100,000
Intel® Bug Bounty Program
Intel Corporation believes that forging relationships with security researchers and fostering security research is a crucial part of our Security First Pledge. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities. By submitting your report, you agree to the terms of the Intel® Bug Bounty Program. Intel reserves the right to alter the terms and conditions of this program at its sole discretion.
Moralis VDP
2FA Required
Sustainable
Capture Our Flag
Up to €51,337
One submission and 51,337 reasons to get to it.
Cybersecurity is part of our nature and we understand that only by challenging our ways, we get to improve.
The Capture Our Flag program is a targeted challenge that leverages Intigriti's core assets: submissions.
This ensures our core product is secure at all times, and is a testament to the trust we build with our researchers and to our customers.
T&C Required
Sustainable
Telenet - Base - Wyre - Tadaam
€50 – €2,500
At Telenet we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, it is nevertheless possible that something will slip through the net.
The brands that are part of Telenet group are Telenet, Base, Nextel and Tadaam.
Should you discover a security problem, we have a system in place for you to report it to us in a responsible way. We are happy to have your help to improve our systems and protect our customers even better.
Soundtrack Your Brand
€50 – €3,500
Soundtrack Your Brand offers music streaming services for businesses. We serve small customers like the café around the corner or larger brands like McDonald’s. Through our service customers have total control over the music and can manage locations across the world.
We provide a wide variety of playback options, from mobile apps to custom hardware, that our customers use to play music at their venues. They manage their account, music and locations via our web app.
EURid
Up to €6,000
EURid vzw is the registry operator of the .eu, .ею (Cyrillic script) and .ευ (Greek script) country code top-level domains (ccTLD) upon the appointment of the European Commission since 2003. As the registry operator, our biggest concern and priority is the stability and security of the .eu namespace.
We also develop and maintain YADIFA since 2012, a lightweight authoritative Name Server with DNSSEC capabilities.
2FA Required
Sustainable
Submit your research - Fast lane
Responsible Disclosure
Want to try a new technique or methodology on private bug bounty programs?
Submit your research, get invited to private programs, and start collecting bounties.