Description

Tomorrowland is one of the most-loved and best-known music festivals on the planet. Because of this Tomorrowland usually sells out in minutes and manages a large fanbase. Tomorrowland also innovates by providing its visitors cashless onsite payments and a wide range of online services. This has increased Tomorrowland's digital footprint. We value all help we can get securing this digital footprint.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 50
€ 150
€ 500
€ 1,000
€ 2,500
€ 50 - € 2,500
Domains

artists.tomorrowland.com/production-website/33117

Tier 2
URL

cognito-idp.eu-west-1.amazonaws.com

Tier 2
URL

globaljourney.tomorrowland.com

Tier 2
URL

mdm.weareone.world

Tier 2
URL

my.tomorrowland.com

Tier 2
URL

oneworldradio.tomorrowland.com

Tier 2
URL

sp1y1tpaf1.execute-api.eu-west-1.amazonaws.com

Tier 2
URL

winterpackages.tomorrowland.com

Tier 2
URL
Out of Scope: bypassing payment process

www.tomorrowland.com

Tier 2
URL
In scope

We are looking for help in protecting and securing our online assets because we care about the privacy of our fans and their data. We also value fair access for our fans to our ticketing sales and want to prevent fraud and ticket scalping.

Please report all vulnerabilities about our online assets, our scope is listed under the Domains section.

The public programme includes listed public domain names and our public Android and iOS app.

Additional private projects concerning our ticket sales and crew accreditation services will be added in a later phase.

Important guideline

Always create a Tomorrowland account with your intigriti email

More info can be found on: https://go.intigriti.com/intigritime

Out of scope

Subdomain takeover is out of scope!

Out of scope actions on Tomorrowland Winterschop 2020

  • Bypassing the payment process

Application

  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • CORS issues on non sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery (CSRF) with no or low impact (Logout/Logon CSRF, etc.).
  • Presence of autocomplete attribute on web forms.
  • Web content in our robots.txt file.
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Attacks requiring use of shared computers or physical access
  • Best practises on password resets (logoff on changing a password, multiple sessions etc)
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection
  • Host Header Injection
  • Sessions not being invalidated on logout
  • Text injection
  • HTML or CSS injection without a plausible attack scenario
  • Stacktrace disclosure with no sensitive data
  • Directory listing which do not contain sensitive files.
  • Use of HTTP with no sensitive data
  • Server status if it does not expose any sensitive data.
  • Tokens leaked against third parties
  • Email spoofing
  • Pixel flood attack
  • Broken link hijacking
  • Theoretical attacks
  • Homograph attacks
  • Username / email enumeration
  • E-mail bombing
  • Disclosing API keys without proven impact
  • Disclosing credentials without proven impact
  • known issue: www.tomorrowland.com/.htpasswd

Infrastructure

  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
  • Banner Exposure / Version Disclosure
  • E-mail spoofing due to bad or missing implementation of SPF/DMARK/DKIM
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Not stripping metadata of images
  • Open ports without the proof-of-concept of a vulnerability

General

  • Best practices concern
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DDoS attacks or brute force attacks. The use of limited word lists in favor of e.g. password guessing is allowed

Mobile

  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Disclosing API keys without proven impact
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions (edited)
  • Attacks requiring stealing the victim’s phone or installing a malicious application onto the victim’s phone
Rules of engagement

Guidelines

  • Remember: quality over quantity!
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
  • Please do NOT discuss bugs before they are fixed

Safe harbour for researchers

Tomorrowland considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Tomorrowland will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Tomorrowland will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact and the targetted domain, a bug can sometimes be given a higher/lower severity rating.

Exceptional

  • Remote Code Execution
  • Full database read/write access

Critical

  • Full database read access
  • Significant access bypass
  • IDOR on ticket info

High

  • Horizontal privillege escalation
  • Access to (a lot of) PII data

Medium

  • XSS
  • CSRF on critical actions
  • Information disclosure
    • Line-up
    • Information about tickets / price packages before public announcement
    • Stack traces with sensitive info
    • Full suplier data

Low

  • Open redirects
  • CSRF

Cash vs tickets

We are happy to reward your vulnerabilities by giving you tickets for Tomorrowland 2020 instead of cash. The table below explains which severity results in which monetary reward or ticket reward.

The ticket supply is limited. the company has always the right to reward you cash instead.

Severity Cash Tickets
Low € 50         
Medium € 150 2 day tickets
High € 500 2 Weekend tickets
Critical € 1.000 2 Weekend tickets (comfort) including spending limit
Exceptional        € 2.500 4 Weekend tickets (comfort) including spending limit
FAQ

Where can I get a test account?

You can register yourself on Tomorrowland by using an intigriti email. More info can be found on: https://go.intigriti.com/intigritime

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Last 90 day response times
avg. days first response
0.80
avg. days to decide
83.05
avg. days to triage
1.14
Activity
10/20
logo
anilyuk
created a submission
10/20
logo
pinta
created a submission
10/20
Tomorrowland
changed the out of scope
10/20
Tomorrowland
changed the out of scope
10/19
Tomorrowland
closed a submission
10/19
Tomorrowland
closed a submission
10/16
logo
kursadalsan
created a submission
10/16
logo
niraj1mahajan
created a submission
10/14
Tomorrowland
closed a submission
10/14
Tomorrowland
closed a submission