The purpose of this website is to publish general information about bpost and its subsidiaries and their respective activities.


Responsible disclosure



Tier 2
In scope

It’s forbidden to use automatic toolings!! Do not submits forms more than required for your test. Submit them manually please. Use your address in the form field indicating it's a test from this program.

Please use an address! This is mandatory!

We're interested to hear about any issue that potentially compromises our company or its user's security. Before submitting a vulnerability, make sure to check that it's not listed in our out of scope policy (which you can find below). If you have additional questions about our program feel free to contact us through intigriti's support by using the button on the right-hand side (Ask scope question).

Out scope


  • *
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • CORS issues without a working PoC
  • Missing cookie flags on non-security sensitive cookies
  • Missing security headers which do not present an immediate security vulnerability
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Reverse tabnabbing
  • DMARC/SPF/E-mail spoofing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Attacks requiring use of shared computers
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection
  • Host Header Injection
  • Sessions not being invalidated on logout
  • Text injection
  • HTML or CSS injection without a plausible attack scenario
  • Stacktrace disclosure with no sensitive data
  • Directory listing which do not contain sensitive files.
  • Use of HTTP with no sensitive data
  • Server status if it does not expose any sensitive data.
  • Tokens leaked against third parties
  • Pixel flood attack
  • Broken link hijacking
  • Username / email / order enumeration
  • E-mail bombing
  • Infrastructure
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 4 weeks) is available. We need time to patch our systems just like everyone else - please give us 4 weeks before reporting these types of issues.
  • Banner Exposure / Version Disclosure
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)


  • Best practices concern
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DDoS attacks or brute force attacks. The use of limited word lists in favor of e.g. password guessing is allowed
  • For submissions that apply for a large number of endpoints due to a structural misconfiguration, only the first report will be accepted. The others will be marked as a duplicate.
Rules of engagement


  • It’s forbidden to use automatic scanners - be creative and do it yourself! We cannot accept any submissions found by using automatic scanners. Scanners also won't improve your skills, and can cause a high server load (we'd like to put our time in thanking researchers rather than blocking their IP's :-))
  • Do NOT discuss bugs. You can send us a video as proof of concept, but remember to change its privacy settings to private

Reporting Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!

Response timeframe

  • We will respond to report in ultimately two weeks, probably faster!

Safe harbour for researchers

bpost considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. bpost will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, bpost will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Currently we don't give a reward. You could be elected though for a bonus.


No Faq

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
closed a submission
closed a submission
created a submission
closed a submission
closed a submission
created a submission
closed a submission
closed a submission
closed a submission
accepted a submission