Description

Spaargids is a Belgian website that offers financial guidance. We continuously provide our users with the latest information regarding saving, loans, insurance and many more financial topics. We take security very serious as many of our users rely on us when they have to take financial related decisions. Therefore we have decided to collaborate with ethical hackers that can inform us about potential vulnerabilities in our systems. If you happen to find a vulnerability we'd be more to happy to hear about it and, if it's impact is significant enough, award you a bounty as token of appreciation.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 0
€ 100
€ 350
€ 550
€ 1,000
Up to € 1,000
Domains

www.spaargids.be

Tier 2
URL
excluding www.spaargids.be/forum/*
In scope

We're interested to hear about any issue that potentially comprimises our company or its user's security. Before submitting a vulnerability make sure to check that it's not listed in our out of scope policy. If you have additional questions about our program feel free to contact us through intigriti's support.

Please keep the impact on the site as minimal as possible by cleaning up submitted data and not impacting users other than yourself.

Only use your intigriti.me email address while testing

Please do not use automatic scanners

PLEASE DO NOT REQUEST ANY LEAD REQUEST (OFFERTE) WITHOUT USING YOUR INTIGRITI.ME ADDRESS (in case of violation, no bounty can be awarded)

Out scope

At this point a lot of reflected XSS vulnerabilities are reported, we need some time to fix these. Therefore, currently, we do not accept any reflected XSS.

PLEASE DO NOT REQUEST ANY LEAD REQUEST (OFFERTE) WITHOUT USING YOUR INTIGRITI.ME ADDRESS (in case of violation, no bounty can be awarded)

While we happily welcome any input from researchers that showcases a potential vulnerability in one of our services, we have assembled a list of issues which are out of scope for this program. Exceptions can be made if the researcher provides a realistic attack scenario that showcases a significant risk to our security.

Application specific

  • The forum located at: www.spaargids.be/forum/ Please do not try and perform tests on the forum, it is out of scope and will stay out of scope!
  • Violations against best practices that only have a theoretical chance of exploitation, e.g. (non-exhaustive list)
  • Lack of a strong password policy
  • Lack of security headers (Unless the lack of a header is the direct cause of a vulnerability)
  • Lack of rate limit on non-sensitive endpoints
  • Autocomplete functionality in forms
  • Insignificant information disclosure
  • Internal IP disclosure
  • Used software and their version
  • Descriptive error messages (Stack trace information, full path disclosure)
  • Lack of the X-FRAME-OPTIONS header (clickjacking)
  • User, and other insignificant, enumeration attacks
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our application. If all we receive is scanner output that turns out to be correct, the submission will be accepted but no bounty will be awarded.
  • Vulnerabilities that require extensive social engineering
  • Self-XSS
  • XSS that is not exploitable in a modern browser
  • Content injection if the only attack scenario is social engineering
  • Issues that require your target to open the developer tools of a browser
  • Issues that require an attacker to have physical access to the target’s device or network traffic.
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs) Disclosure of used software and their version
  • CSRF issues with low impact
  • Sensitive information leaking to a trusted third party partner.
  • Lack of the secure or HttpOnly flag on cookies
  • Missing DMARC/SPF records

General

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs) Disclosure of used software and their version
  • 0-Day vulnerabilities in 3rd party software for which a patch has not been available for more than four weeks
  • Social engineering of our employees/support
  • Publicly accessible login panels
  • Any form of DoS/DDoS
  • Spamming
Rules of engagement

Guidelines

  • Please clean up remnants of your testing and do not interfere with the normal operation of the site.
  • Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Suggestions for mitigation are appreciated as well
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further
  • Please do NOT publish/discuss bugs before they are fixed

Safe harbour for researchers

DPG Media considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. DPG Media will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, DPG Media will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution
  • Full database access (incl. update/delete)

Critical

  • Access to all customer personal details
  • SQL injection
  • Access to all user data or access to a targeted user

High

  • Stored XSS without user interaction
  • Access to random users their data
  • Privilige escalation
  • Authentication bypass on critical infrastructure

Medium

  • Reflected XSS (Out-of-scope until further notice)
  • CSRF with a significant impact

Low

  • Debug stack trace (if significant data is exposed)
  • Open redirect
FAQ

Can I receive a test account?
You can register for a test account on this page. Only create test accounts with your intigriti.me email address and limited to 3 accounts.

Is an English version of the site available?
No, we only offer this site in Dutch and French but we made sure that our vulnerabilities are in English ;-)

Can I submit identicial vulnerabilities that I can find in the Dutch and the French part as separate reports?
No, vulnerabilities that are identical between the Dutch and French part of the site are treated as duplicate as they use the same codebase.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
7/8
DPG Media
changed the in scope
11/6
DPG Media
changed the rules of engagement
11/6
DPG Media
changed the severity assessment
11/6
DPG Media
changed the severity assessment
2/1
DPG Media
closed a submission
1/30
DPG Media
closed a submission
1/30
DPG Media
closed a submission
1/29
DPG Media
closed a submission
1/29
DPG Media
closed a submission
1/28
DPG Media
closed a submission