Description

Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
50
150
500
1,000
2,500
Tier 2
€50 - €2,500
Tier 3
0
75
250
500
1,250
Tier 3
Up to €1,250
Rules of engagement
Required
Not applicable
Not applicable
Not applicable

Guidelines

  • Remember: quality over quantity!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Please do NOT discuss bugs before they are fixed

Please use the @intigriti.me email for your tests so we can keep our databases clean.

Domains

*.aroundtheworld.tomorrowland.com

Tier 2
URL

artists.tomorrowland.com/production-website/33117

Tier 2
URL

cognito-idp.eu-west-1.amazonaws.com

Tier 2
URL
Tier 2
Android

globaljourney.tomorrowland.com

Tier 2
URL

mdm.weareone.world

Tier 2
URL

my.tomorrowland.com

Tier 2
URL
Tier 2
iOS

oneworldradio.tomorrowland.com

Tier 2
URL

sp1y1tpaf1.execute-api.eu-west-1.amazonaws.com

Tier 2
URL

winterpackages.tomorrowland.com

Tier 2
URL

Out of Scope: bypassing payment process

www.tomorrowland.com

Tier 2
URL

*.tomorrowland.com

Tier 3
URL

components.stag.tomorrowland.com

Tier 3
URL

Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.

components.tomorrowland.com

Tier 3
URL

Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.

In scope

We are looking for help in protecting and securing our online assets because we care about the privacy of our fans and their data. We also value fair access for our fans to our ticketing sales and want to prevent fraud and ticket scalping.

Please report all vulnerabilities about our online assets, our scope is listed under the Domains section.

The public programme includes listed public domain names and our public Android and iOS app.

Additional private projects concerning our ticket sales and crew accreditation services will be added in a later phase.

We are currently working on fixing subdomain takeovers on our entire environment. We are open to receive non-dupe subdomain takeovers, however there is a fixed bounty of 50 EUR on subdomain takeover for the time being.

Out of scope

Subdomain takeover without proven impact is out of scope.

thegreatlibraryoftomorrow.com as dangling DNS record is known, this website will launch very soon.

Following an increase on submissions (and possible duplicates), we are taking returns.store.tomorrowland.com temporarily out of scope to have discussions with our third party partner for a structural solution

Out of scope actions on Tomorrowland Wintershop

  • Bypassing the payment process

Tomorrowland Brasil Ticket shops are out of scope

Application

  • API key disclosure without proven business impact
  • Pre-auth account takeover / oauth squatting
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • CORS issues on non sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Attacks requiring use of shared computers or physical access
  • Best practises on password resets (logoff on changing a password, multiple sessions etc)
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection
  • Blind SSRF without proven business impact (DNS pingback only is not sufficient)
  • Disclosed and/or misconfigured Google API key (including maps)
  • Host header injection without proven business impact
  • Sessions not being invalidated on logout
  • Text injection
  • HTML or CSS injection without a plausible attack scenario
  • Stacktrace disclosure with no sensitive data
  • Directory listing which do not contain sensitive files.
  • Use of HTTP with no sensitive data
  • Server status if it does not expose any sensitive data.
  • Tokens leaked against third parties
  • Email spoofing
  • Pixel flood attack
  • Broken link hijacking
  • Theoretical attacks
  • Homograph attacks
  • Username / email enumeration
  • E-mail bombing
  • Disclosing API keys without proven impact
  • Disclosing credentials without proven impact
  • HTTP Header Attacks without proven impact (E.g. Host Header Injection without clear business impact)
  • known issue: *.tomorrowland.com/.htpasswd

Infrastructure

  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
  • Banner Exposure / Version Disclosure
  • E-mail spoofing due to bad or missing implementation of SPF/DMARK/DKIM
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Not stripping metadata of images
  • Open ports without the proof-of-concept of a vulnerability
  • Man-in-the-middle attacks

General

  • Best practices concern
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DDoS attacks or brute force attacks. The use of limited word lists in favor of e.g. password guessing is allowed

Mobile

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Disclosing API keys without proven impact
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions (edited)
  • Attacks requiring stealing the victim’s phone or installing a malicious application onto the victim’s phone
Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact and the targetted domain, a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution
  • Full database read/write access

Critical

  • Full database read access
  • Significant access bypass
  • IDOR on ticket info

High

  • Horizontal privillege escalation
  • Access to (a lot of) PII data

Medium

  • XSS
  • CSRF on critical actions
  • Information disclosure
    • Line-up
    • Information about tickets / price packages before public announcement
    • Stack traces with sensitive info
    • Full suplier data

Low

  • Open redirects
  • CSRF

Cash vs tickets

We are happy to reward your vulnerabilities by giving you tickets for one of our events instead of cash. The table below explains which severity results in which monetary reward or ticket reward.

The ticket supply is limited. the company has always the right to reward you cash instead.

As of 04/01/2023 we can no longer reserve Tomorrowland tickets for new submissions.
New submissions will automatically receive their bounty in cash.

Severity Cash Tickets
Low € 50
Medium € 150 2 day tickets
High € 500 2 Weekend tickets
Critical € 1.000 2 Weekend tickets (comfort) including spending limit
Exceptional € 2.500 4 Weekend tickets (comfort) including spending limit
FAQ

Where can I get a test account?

You can register yourself on Tomorrowland by using an intigriti email. More info can be found on: https://go.intigriti.com/intigritime

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
+3 weeks
avg. time to triage
< 2 days
Activity
3/18
logo
created a submission
3/18
logo
created a submission
3/15
Tomorrowland
closed a submission
3/14
logo
created a submission
3/13
logo
created a submission
3/12
Tomorrowland
closed a submission
3/12
Tomorrowland
closed a submission
3/11
Tomorrowland
closed a submission
3/10
logo
created a submission
3/10
logo
created a submission