Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 50
€ 250
€ 1,000
€ 2,500
€ 5,000
€ 50 - € 5,000
Domains

*.das.eu

Tier 2
URL

*.dns.eu

Tier 2
URL

*.eurid.eu

Tier 2
URL

*.nic.eu

Tier 2
URL

*.registry.eu

Tier 2
URL

*.whois.eu

Tier 2
URL
Description

EURid is the registry manager of the .eu, .ею (Cyrillic script) and .ευ (Greek script) country code top-level domains (ccTLD) upon the appointment of the European Commission since 2003. We take the security of our systems and services seriously to ensure the protection and privacy of our users and customers and the stability and availability of our services. Nevertheless, if you stumble upon an issue you consider a vulnerability, let us know as soon as possible following these guidelines.

In scope

All sites and services listed in domains section.

Our authoritative name servers as displayed in the NS resource record set of the .eu or .ею top level domain:

dig ns eu. @nl.dns.eu
dig ns ею. @nl.dns.eu
dig ns ευ. @nl.dns.eu

as well as those referred to in the domains section:

dig ns eurid.eu. @nl.dns.eu
dig ns registry.eu. @nl.dns.eu
etc...

unless referred to in the out of scope section.

Systems and services in our autonomous number:

  • ASN35733
Out scope

Any service or website linked to domain names in the .eu name space, which are not held by EURid as shown in the WHOIS. See https://whois.eurid.eu/ to determine the registrant of a domain name.

Any service or website under the domain names in scope that are not hosted in the autonomous numbers referred in the "In scope" section; except https://www.eurid.eu.

The following authoritative name servers are explicitely out of scope.

For the .eu and .ею Top Level Domain:

  • w.dns.eu
  • x.dns.eu
  • y.dns.eu

For the domains referred in the domains section:

  • nsx.eurid.eu
  • nsp.netnod.se

In the interest of the safety of our users, staff, the Internet at large and yourself, the following is out of scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating);
  • Findings derived primarily from social engineering (e.g. phishing);
  • Findings from applications or systems not listed in the ‘Scope’ section;
  • UI and UX bugs and spelling mistakes;
  • Network level Denial of Service (DoS/DDoS) vulnerabilities;
  • Duplicate reports of security issues, including security issues that have already been identified internally;
  • Issues determined to be low impact may be excluded;
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in criticality;
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems - allow 2 weeks before reporting these types of issues;
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console);
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted;
  • Cross-origin Resource Sharing (CORS) issues without a working PoC;
  • Missing cookie flags on non-security sensitive cookies;
  • Missing security headers which do not present an immediate security vulnerability;
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.);
  • Presence of autocomplete attribute on web forms;
  • Web content in our robots.txt file;
  • Banner Exposure / Version Disclosure;
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability;
  • Weak ciphers/certs (we know SSLlabs too);
  • DKIM, DMARC and SPF issues.
Rules of engagement

Guidelines

  • Provide detailed but to-the point reproduction steps;
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated;
  • Please do NOT discuss findings before they are fixed (including PoCs on YouTube and Vimeo or any other sharing platform);
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Have no criminal or malicious intent;
  • Perform research only within the scope.
  • Do not place malware or any other software on our systems;
  • Do not alter the configuration of our systems;
  • Do not copy, delete or modify data on our systems and
  • Do not share access to vulnerable systems with others or repeatedly gain access to vulnerable systems;
  • Remove sensitive material from your systems once the issue has been resolved.

Safe harbour for researchers

EURid considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. EURid will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, EURid will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Examples of exceptional vulnerabilities:

  • Remote Code Execution
  • Unauthorized access to the Registrar extranet
  • Bypassing the access control mechanisms of the EPP
  • Access to internal systems

Examples of critical vulnerabilities:

  • Access to personal, non-publicly available data like logins, passwords and email addresses
  • SQL injection

Examples of high severity vulnerabilities:

  • Stored XSS without user interaction
  • Privilege escalation
  • Bypassing access control mechanisms like rate limiters, IP blocks and CAPTCHAs

Examples of medium severity vulnerabilities:

  • XSS that requires user interaction
  • Exception triggers
  • Stack traces
  • Scripted and automated exploitation and data extraction (not meta-data). The data should normally be publicly available and require human interaction.

Examples of low severity vulnerabilities:

  • CSRF
  • Open redirects which allows extraction of sensitive data or introducing XSS.
  • Scripted and/or automated exploitation and technical meta-data extraction (like internal IP addresses, ports, etc...)

It will be the responsibility of Intigriti to pay out the bounties in a timely and legal way. Payouts will only take place after our agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.

FAQ

Are there test accounts available, where applicable?
Currently this is not possible.

What is sensitive data?
We consider any type of data that is not publicly accessible or available as sensitive. This includes but is not limited to personal data.

Why is my IP address blocked?
We encourage security researchers to look into our infrastructure and services in the search for vulnerabilities, but we will take protective measures when this has a negative impact on our services. Running an aggressive security scanner or exploitation tool and bombarding us with requests will trigger non-negotianable blocks on our systems.

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
4/3
logo
pieter
created a submission
3/20
EURid
closed a submission
3/20
logo
daro4
created a submission
3/9
EURid
closed a submission
3/6
logo
baptiste
created a submission
2/10
EURid
closed a submission
2/10
EURid
closed a submission
2/10
logo
sachinpandey
created a submission
2/10
logo
sachinpandey
created a submission
1/29
EURid
closed a submission