Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 0
€ 500
€ 1,500
€ 2,500
€ 5,000
Up to € 5,000
Domains

www.colruyt.be

Tier 2
URL
Description

Colruyt is a family business from Lembeek, in the province of Flemish Brabant, and was founded more than 80 years ago. Today, the small company has developed into a family of companies: Colruyt Group. A successful player, active in 3 countries with numerous store formats.

In scope

We're interested to hear about any issue that potentially compromises our company or its user's security. Before submitting a vulnerability, make sure to check that it's not listed in our out of scope policy (which you can find below). If you have additional questions about our program feel free to contact us through intigriti's support by using the button on the right-hand side (Ask scope question).

Out scope

All XTRA services are out of scope in this project

The XSS in the search bar on colruyt.be is a known issue, please don't report this, since this will be marked as Out of Scope.

  • Duplicate reports of security issues, including security issues that have already been identified internally
  • Issues determined to be low impact may be excluded
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in criticality
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • Login page or one of our websites over HTTP.
  • Username / email enumeration
  • CORS issues without a working PoC
  • Missing cookie flags on non-security sensitive cookies
  • Missing security headers which do not present an immediate security vulnerability
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Banner Exposure / Version Disclosure
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
Rules of engagement

Guidelines

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Abide with the "Colruyt Policy for investigation of security problems" set of rules.
  • Please do NOT discuss bugs before they are fixed (including PoC's on youtube and vimeo)

Safe harbour for researchers

Colruyt Group considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Colruyt Group will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Colruyt Group will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution

Critical

  • Access to all customer personal details
  • SQL injection

High

  • Stored XSS without user interaction
  • Privilege escalation
  • Authentication bypass on critical infrastructure

Medium

  • XSS that requires user interaction

Low

  • CSRF
  • Open redirect
  • DKIM, DMARC, SPF issues
FAQ

Can we create test accounts?
Only create test accounts with your intigriti.me email address and limited to 5 accounts (need more, ask).

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Activity
08/11
Colruyt Group
closed a submission
08/11
logo
united36
created a submission
06/11
Colruyt Group
changed the severity assessment
06/11
Colruyt Group
changed the severity assessment
05/11
Colruyt Group
accepted a submission
04/11
logo
hayali
created a submission
04/11
Colruyt Group
closed a submission
03/11
logo
joris909
created a submission
03/11
Colruyt Group
closed a submission
01/11
logo
mogivamshi123
created a submission