Description

At Telenet we place great importance on the security of our systems and data. Despite the measures we take to optimise our security, it is nevertheless possible that something will slip through the net. The brands that are part of Telenet group are Telenet, Base and 9lives. Should you discover a security problem, we have a system in place for you to report it to us in a responsible way. We are happy to have your help to improve our systems and protect our customers even better.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 1
€ 50
€ 150
€ 375
€ 750
€ 1,500
€ 50 - € 1,500
Tier 2
€ 0
€ 100
€ 250
€ 500
€ 1,000
Up to € 1,000
Domains
iOS
The entire Telenet SafeSpot product is in scope.
iOS
The entire Telenet SafeSpot product is in scope.
Android
The entire Telenet SafeSpot product is in scope.
Android
The entire Telenet SafeSpot product is in scope.
Android
The entire Telenet SafeSpot product is in scope.

https://www2.telenet.be/nl/landing-pages/safespot

Tier 1
URL
The entire Telenet SafeSpot product is in scope.

*.9lives.be

Tier 2
URL

*.base.be

Tier 2
URL
Please note that there are out of scope domains

*.telenet.be

Tier 2
URL
Telenet offers a hosting provider service for their customers. These domains are considered as out of scope. As an indication, most in-scope domains will have (c) Telenet 2019 in their footer.

*.telenethotspot.be

Tier 2
URL

*.yelo.be

Tier 2
URL

*.yeloplay.be

Tier 2
URL
Base Cloud
Base Top-up
My Base
Base Cloud
Android
Triing
Android
Telenet Mobile
Android
Yelo Play

Digibox

Tier 2
Device

Digicorder

Tier 2
Device

Modems

Tier 2
Device
My Base

Telenet access points

Tier 2
Device

Telenet Hotspots

Tier 2
Device

Telenet Powerlines

Tier 2
Device
Telenet Mobile
Triing
Yelo Play
In scope

Suspected vulnerabilities in our products and services, including modem, Digicorder/Digibox,
hotspot/homespot, websites, web-based applications and mobile apps that can be abused
and can lead to:

  • Theft of sensitive data
  • Unauthorized modification or deletion of sensitive data
  • Interference with or prevention of access to our services
  • Disruption of the proper operation of our network, products or services
Out scope

Out of scope domains:

  • *.access.telenet.be
  • *.inbel.telenet.be
  • *.static.telenet.be
  • *.kabel.telenet.be
  • *.web.cloud.telenet.be
  • home.base.be/*
  • users.telenet.be/*
  • business.telenet.be/nl/syba (A-desk website)
  • mkt.telenet.be
  • sim.telenet.be
  • *.cloud.telenet.be
  • comm.base.be

General

  • For leaked customer credentials or customer abuse, please contact our abuse team via abuse@telenet.be
  • Services and systems that are hosted, created, managed or owned by Telenet customers.
  • Duplicate reports of security issues, including security issues that have already been identified internally or only reproducable on non-PROD environment e.g. UAT
  • Automated scanning attacks
  • Social engineering (e.g. phishing, vishing) or physical attacks such as office access (e.g., open doors, tailgating)
  • Distributed Denial of Service attacks and Denial of Service attacks
  • Vulnerabilities that are a result of malware
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded
  • Issues determined to be low impact may be excluded
  • Vulnerabilities in our 3rd party partners source code on which we don't have any control regarding the fix. This vulnerabilities should be directly reported to the 3rd party host.
  • Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
  • Brute Force Attacks

Application

  • Self-XSS and issues exploitable only through Self-XSS.
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work at least on > IE 8.
  • .htaccess downloadable file without a real security misconfiguration that can have security impact
  • Login page or one of our websites over HTTP
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Password not enforced on user accounts
  • Clickjacking or any issue exploitable through clickjacking
  • Username / email enumeration
  • CORS issues without a working PoC
  • Discovery of any in-use service whose version contains known vulnerabilities (such as a specific version of OpenSSL, Apache, Tomcat, etc.) without a demonstration of intrusion, information retrieval, or service disruption using that vulnerability
  • Vulnerabilities in obsolete (EOLed) versions of our products
  • Missing additional security controls, such as HSTS or CSP headers.
  • Cross-site Request Forgery with no or low impact (Login/Logout CSRF)
  • Missing cookie flags (for non-sensitive cookies).
  • Brute-force / Rate-limiting / Velocity throttling.
  • Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Banner Exposure / Version Disclosure
  • DKIM, DMARC, SPF issues
  • Flash findings that require Flash to be enabled
  • Internal IP address disclosure
  • Weak Captcha / Captcha Bypass.
  • Open redirect
  • WPS brute force attacks / XMLRPC enabled
  • Disclosing API keys without proven impact
  • Not stripping metadata of images
  • E-mail bombing
  • Cross-domain referer leakage

Mobile applications

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions (edited)
Rules of engagement

Important!

  • Always operate within legal boundaries when identifying potential security issues.
  • Do not demonstrate security vulnerabilities by performing DDoS attacks, brute force password guessing, social engineering activities, infecting systems with malware, scanning our systems, etc. Such actions will be considered and dealt with as targeted attacks, because they can cause harm to both Telenet and its customers. In such cases, Telenet cannot guarantee that you will not be prosecuted, since there is a risk that the authorities will take the necessary measures in response to such attacks.
  • Only notify Telenet of your findings, and only via this procedure.
  • Do not publish details about the security issue through other channels. Making the problem known through other channels or the media, even before or after notifying Telenet via this procedure and even when not all details are provided, will be considered irresponsible behaviour and can still lead to the filing of criminal charges.
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.

Our promise

  • We will respond to your message as soon as possible, if you have provided contact information.
  • If we require additional information, we may choose to contact you, if possible.
  • We will do everything possible to resolve any shortcomings as quickly as possible, and we will keep you posted.
  • Acting in accordance with these guidelines ensures that Telenet will not file a criminal complaint against you.

Safe harbour for researchers

Telenet considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Telenet will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Telenet will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Reward will be given based on the payment table that you can find at the top of the program. The level of the criticality will be based on technical parameters (CVSS) but exceptions on this are possible if a vulnerability on a system and/or application is not critical to our business.

No rewards will be given to out of scope reports or to any vulnerabilities introduced by our customers (e.g. if a customer introduces a vulnerability in his personal webspace, we will not fix nor offer a reward for this report).

FAQ

Can we receive test accounts?

No, we currently don’t share credentials of test accounts.

How long does it take to fix a vulnerability?

Our goal is to implement a fix as soon as possible. Depending on the criticality and the affected system it can take up to multiple months to implement a fix.

Why have you lowered the criticality of my reported issue?

If the reported issue has been found on a non-critical system or non-production environment then we can downgrade the criticality.
In this program we try to focus on critical and production environments.

Do you give refunds for Telenet services I have bought for testing purposes.

No, we will not refund expenses for services you have bought for testing purposes.
We do not recommend to buy Telenet services for testing purposes.
Sales are final.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
7/16
Telenet
accepted a submission
7/16
Telenet
closed a submission
7/9
Telenet
closed a submission
7/9
logo
r000tz
created a submission
7/9
Telenet
closed a submission
7/9
logo
d3m0nr007
created a submission
7/7
Telenet
closed a submission
7/7
logo
abaykan
created a submission
7/7
Telenet
closed a submission
7/6
logo
manik90
created a submission