Description

At Telenet we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, it is nevertheless possible that something will slip through the net. Should you discover a security problem, we have a system in place for you to report it to us in a responsible way. We are happy to have your help to improve our systems and protect our customers even better.

Bounties

Responsible disclosure

Domains

Digibox

No Bounty
Device

Digicorder

No Bounty
Device

Modems

No Bounty
Device

Telenet access points

No Bounty
Device

Telenet Hotspots

No Bounty
Device

Telenet Powerlines

No Bounty
Device

*.9lives.be

No Bounty
URL

*.telenet.be

No Bounty
URL
Customers are allowed to make subdomains with the telenet.be domain. These domains are considered as out of scope. Most in-scope domains will have (c) Telenet 2019 in their footer.

*.telenethotspot.be

No Bounty
URL

*.telenetsafespot.com

No Bounty
URL
The entire Telenet SafeSpot product is in scope.

*.yelo.be

No Bounty
URL

*.yeloplay.be

No Bounty
URL
No Bounty
iOS
The entire Telenet SafeSpot product is in scope.
No Bounty
iOS
The entire Telenet SafeSpot product is in scope.
No Bounty
Android
Triing
Android
The entire Telenet SafeSpot product is in scope.
Android
The entire Telenet SafeSpot product is in scope.
Android
Telenet Mobile
No Bounty
Android
Telenet TV
Android
Yelo Play

SafeSpot Guard Application

No Bounty
Other
The entire Telenet SafeSpot product is in scope.
Telenet TV
iOS
Telenet Mobile
iOS
Triing
iOS
Yelo Play
In scope

Suspected vulnerabilities in our products and services, including modem, Digicorder/Digibox,
hotspot/homespot, websites, web-based applications and mobile apps that can be abused
and can lead to:

  • Theft of sensitive data
  • Unauthorized modification or deletion of sensitive data
  • Interference with or prevention of access to our services
  • Disruption of the proper operation of our network, products or services
Out of scope

Out of scope domains

  • *.access.telenet.be
  • *.inbel.telenet.be
  • *.static.telenet.be
  • *.kabel.telenet.be
  • *.playsports.be
  • community.telenet.be
  • users.telenet.be/*
  • business.telenet.be/nl/syba (A-desk website)
  • mkt.telenet.be
  • sim.telenet.be

Any area that is not explicitly listed in the section above is out of scope. The areas that are out of scope include, but are not limited to, the following:

  • Duplicate reports of security issues, including security issues that have already been identified internally
  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have security impact
  • Login page or one of our websites over HTTP.
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host.
  • Username / email enumeration
  • CORS issues without a working PoC
  • Automated scanning attacks
  • Social engineering (e.g. phishing, vishing)
  • Physical attacks such as office access (e.g., open doors, tailgating)
  • Distributed Denial of Service attacks and Denial of Service attacks
  • UI and UX bugs and spelling mistakes
  • Usability issues
  • Vulnerabilities that are a result of malware
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
  • Issues determined to be low impact may be excluded
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
  • Denial of Service attacks
  • Vulnerabilities in obsolete (EOLed) versions of our products
  • Missing additional security controls, such as HSTS or CSP headers.
  • Login/Logout CSRF.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Cookie flags (for non-sensitive cookies).
  • Brute-force / Rate-limiting / Velocity throttling.
  • Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Banner Exposure / Version Disclosure
  • DKIM, DMARC, SPF issues
  • WPS brute force attacks

Specific for Mobile applications:

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • PI key leakage used for insensitive activities/actions (edited)
Rules of engagement

Guidelines

  • Always operate within legal boundaries when identifying potential security issues. Do not demonstrate security vulnerabilities by performing DDoS attacks, brute force password guessing, social engineering activities, infecting systems with malware, scanning our systems, etc. Such actions will be considered and dealt with as targeted attacks, because they can cause harm to both Telenet and its customers. In such cases, Telenet cannot guarantee that you will not be prosecuted, since there is a risk that the authorities will take the necessary measures in response to such attacks.
  • Describe the problem in sufficient detail, and include the necessary evidence, such as IP addresses, log entries, screenshots, etc.
  • Write your message in English.
  • If you prefer to remain anonymous, you are not required to provide us with contact information. However, in some cases we may want to reach you for further information or to provide feedback.
  • Only notify Telenet of your findings, and only via this procedure. Do not publish details about the security issue through other channels. Making the problem known through other channels or the media, even before or after notifying Telenet via this procedure and even when not all details are provided, will be considered irresponsible behavior and can still lead to the filing of criminal charges.
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further

Our Promise

  • We will respond to your message as soon as possible, if you have provided contact
    information.
  • If we require additional information, we may choose to contact you, if possible.
  • We will do everything possible to resolve any shortcomings as quickly as possible, and we willkeep you posted.
  • Depending on the potentially identified security problem, Telenet may autonomously decide to grant a reward. The content and scope of a reward will be unilaterally determined by Telenet, and any such reward may not be construed as a guarantee of future rewards.

Safe harbour for researchers

Telenet considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Telenet will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Telenet will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Currently we are not paying for vulnerabilities, we believe in responsible disclosure. We will however be able to increase your reputation and give you public recognition via the leaderboard!

Additionaly, in exceptional cases and depending on the issue we might send you some swag or even overrule this and offer you a reward.

FAQ

Can we receive test accounts?

No, we currently don’t share credentials of test accounts.

How long does it take to fix a vulnerability?

Our goal is to implement a fix as soon as possible. Depending on the criticality and the affected system it can take up to multiple months to implement a fix.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
3/13
Telenet
closed a submission
3/12
Telenet
has suspended the program
3/3
Telenet
accepted a submission
3/3
logo
morioka12
created a submission
2/27
Telenet
accepted a submission
2/27
logo
j3ssiejjj
created a submission
12/18
Telenet
accepted a submission
12/10
Telenet
closed a submission
12/10
logo
p4fg
created a submission
12/9
logo
samyakt
created a submission