Bug Bounty Programs

Come play our monthly CTF!

Coveo delivers AI-powered search and recommendations across websites, apps, and enterprise systems. Our platform includes automated crawlers, customer-supplied Python execution, and large-scale AI/GenAI infrastructure, plenty of interesting attack surface. If you find real security impact in these areas (or elsewhere), we want to hear from you. Please review the scope carefully so eligible reports can be rewarded appropriately.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This program focuses specifically on the ICI PARIS XL brand from AS Watson. This brand is operating in The Netherlands Belgium and Luxembourg.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This program focuses specifically on the The Perfume Shop brand from AS Watson. This brand is operating in the United Kingdom.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This program focuses specifically on the Marionnaud brand from AS Watson. This brand is operating in eight different countries within Europe.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This program focuses specifically on the Superdrug and Savers brands from AS Watson. These brands are operating in the United Kingdom.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This program focuses specifically on the Kruidvat and Trekpleister brands from AS Watson. These brands are operating in The Netherlands and Belgium.

The AS Watson Bug Bounty Program AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with. AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue. Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these. This bug bounty program focuses specifically on the Watsons brands from AS Watson. This brand has online and offline stores in many different countries in Asia and Europe. In addition, the PNS Hong Kong, Fortress Hong Kong, LookAtMe Philippines, Drogas and the Moneyback Hong Kong Loyalty program are included in the scope for this bug bounty program.

The Storebrand Vulnerability Disclosure Program (VDP) provides a clear and secure way for security researchers, customers, and partners to report potential security vulnerabilities affecting Storebrand’s digital services and systems. We encourage responsible, good-faith security research and are committed to working collaboratively with reporters to validate, triage, and remediate legitimate findings. This program outlines which assets are in scope, how vulnerabilities should be reported, and what reporters can expect from Storebrand in terms of response and handling. Storebrand is committed to coordinated vulnerability disclosure and to protecting customer data, financial information, and service availability. Reports submitted through this program will be handled confidentially and in accordance with applicable laws, regulations, and our internal security and compliance processes.

Anaconda is the trusted platform accelerating enterprise AI with governed open-source Python. We serve millions of users globally—from individual developers to Fortune 500 companies—powering AI/ML model development, data science workflows, and intelligent applications. Our platform provides pre-vetted Python packages, automated security scanning, and enterprise governance that helps organizations move from AI prototype to production faster, safer, and smarter. What do we do? We provide enterprise-ready AI development tools and trusted Python package management solutions. Anaconda Core delivers secure, validated open-source packages with intelligent dependency resolution. Anaconda AI Catalyst enables rapid deployment of pre-validated, optimized AI models with built-in governance. Our platform helps organizations scale AI initiatives while maintaining security and compliance standards. Intention for this program To collaborate with the community in identifying and addressing security vulnerabilities across Anaconda's infrastructure, products, and services. Your responsible disclosure helps us maintain the trust of millions of users who rely on our platform to advance their AI initiatives.

Nutaku Entertainment Ltd, operator of www.nutaku.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for Nutaku in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

Aylo Premium Ltd, operator of www.brazzers.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for Brazzers in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

Aylo Freesites Ltd, operator of www.pornhub.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for Pornhub in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

Aylo Social Ltd, operator of www.mydirtyhobby.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for MyDirtyHobby in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

Aylo Freesites Ltd, operator of www.trafficjunky.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for TrafficJunky in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

Aylo Billing US Corp & Aylo Billing Limited, operator of www.probiller.com, and its affiliated entities (collectively, “Aylo”) is a tech pioneer offering world-class adult content platforms. Security is a top priority for Aylo, and we are committed to working with skilled security researchers to continuously improve the security of our platforms. To this end, Aylo has established this bug bounty program for Probiller in partnership with Intigriti (the “Program”). If you have discovered a vulnerability within our scope, we welcome you to report it through this Program and will work with you to resolve the issue promptly while ensuring you are fairly rewarded for your discovery.

DIGI Communications is a European telecommunications group operating in Romania, Spain, Italy, Portugal, and Belgium, providing mobile and fixed telephony, high-speed internet, and television services under its local brands. The platform enables users to securely access and interact with information associated with their DIGI profile.

Welcome to Voi's Vulnerability Disclosure Program. At Voi, we’re about transforming urban transport. Since 2018, we’re on a mission to challenge the car-centric culture and bring in mobility solutions that make city life smoother, greener and more enjoyable.

Toast is the all-in-one digital technology platform built specifically for the restaurant community. We serve a diverse range of customers—from distinct local cafes to nationwide enterprise chains—powering front-of-house operations, back-of-house management, and guest-facing technology. Our platform combines powerful cloud-based software with durable hardware to help restaurants operate efficiently, delight guests, and thrive in a digital-first world. What do we do? We provide a comprehensive operating system for restaurants. The Toast platform unites Point of Sale (POS), Kitchen Display Systems (KDS), Online Ordering, and Team Management into a single, streamlined ecosystem. Beyond secure payment processing, we handle critical workflows including inventory management, payroll, loyalty programs, and third-party delivery integrations. We help restaurateurs streamline their operations, grow their business, and deliver a seamless dining experience to guests everywhere. Intention for this program To partner with the global security research community in identifying and addressing potential vulnerabilities across Toast’s hardware, software, and cloud infrastructure. Security is a priority for the Toast ecosystem given its role in daily restaurant operations. Your responsible disclosure helps us validate our defenses and ensures a reliable, secure experience for the merchants and guests who utilize our services. The targets listed below are publicly accessible, but we do not provide accounts for accessing authenticated functions. If you can create self-register for any application, feel free to do so using your Intigriti email (intigriti.me). If account creation requires a phone number, please include a reference to Intigriti in your profile, such as using 'intigriti-<name>' in the first name field or something similar.

Trusted Firmware provides a reference implementation of secure software for Arm Armv8-A, Armv9-A and Armv8-M. It provides SoC developers and OEMs with a reference trusted code base complying with the relevant Arm specifications. This Bug Bounty program rewards eligible vulnerability reports in the following Trusted Firmware projects: - Trusted Firmware-A (TF-A) - Trusted Firmware-M (TF-M) - OP-TEE - MbedTLS Note: If you like this, you may also be interested in the Arm Bug Bounty Program at https://app.intigriti.com/company/programs/arm/arm/detail.

At Liferay, we are committed to providing a secure and reliable digital environment for our users. We recognize the invaluable role that the security research community plays in helping us maintain the security of our systems. This Vulnerability Disclosure Program (VDP) outlines a clear and responsible path for security researchers to report vulnerabilities they discover in our publicly accessible systems.

At Water-link, we build with precision and defend with purpose—but we know the real edge comes from those who operate outside the perimeter. You spot the cracks before they become breaches. You think in payloads, not platitudes. And that’s exactly why your work matters. Your ability to uncover vulnerabilities and help us patch them doesn’t just harden our systems—it raises the bar for security across the entire web. You’re not just contributors; you’re catalysts. We see the time you invest, the skill you bring, and the mindset that drives it all. And we respect the hell out of it. Let’s keep pushing boundaries together. . Please note that we will not be paying bounties for this VDP - if a bounty is what you're after, our public program is for you! Stay curious. Stay dangerous (to bugs, that is) 😉

The Ubisoft Game Security Program provides a dedicated channel for reporting security issues that affect Ubisoft video games and their related online services — including game clients, consoles, PC builds, back-end game servers, matchmaking, in‑game economies, and game‑specific APIs. This program is focused exclusively on game titles; corporate infrastructure should be reported via the Corporate Security Program. We encourage careful, good‑faith research and concise reports with reproducible steps and the minimal evidence required to show impact. Wherever possible, test on isolated environments or use disposable/test accounts — do not interfere with live matches or other players’ experiences. Extracting or exposing player personal data will not be tolerated, and do not publish findings publicly until they are remediated or approved for disclosure. Prohibited activities include social engineering, physical intrusion, creating or distributing cheats or bypasses for anti‑cheat systems, manipulating live economies to harm players, or any actions that materially disrupt gameplay or services. When reporting, provide clear reproduction steps, affected platform/version, PoC where safe, and any relevant logs or captures. Our Security team will acknowledge submissions, investigate promptly, keep reporters informed, and offer recognition consistent with program policies. To facilitate easier bug reproduction, we ask that a hash or version of the game being exploited be included in the report. Additionally, in the PoC source code, if hardcoded Virtual Addresses are used, include a comment specifying the corresponding Relative Virtual Addresses and offsets of the manipulated functions/objects. To submit a report, please use Intigriti so we can review and remediate quickly.

Liferay is a provider of B2B enterprise open source technologies that empowers businesses around the world to solve complex digital challenges. Over a thousand organizations in financial services, insurance, manufacturing, healthcare and government use Liferay worldwide. Our goal is to help companies reach their full potential to serve others, and we try to leave a positive mark on the world through our business and technology.