IMPORTANT! We're running a Web Application Firewall (WAF). During your testings you may experience blocks caused by our firewall. Errors generated by the WAF ("An error occurred. [...] nginx") do NOT mean that you found a vulnerability on application layer. In fact, these errors are generated by the WAF although error messages might look as they originate from the webserver. If you experience this error message, please change your IP address to be able to access our website again.

About

Natur.com was founded in 2006 and runs a Germany-based online store for organic food. We specialize in fresh fruits and vegetables and distribute a large assortment of foodstuff for daily needs. All of our products get shipped throughout the European Union.

Response Targets

Natur.com will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit): 2 business days

• Time to triage (from report submit): 2 business days

• Time to resolution: 30 days

Program Terms

• By providing a submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Natur.com's prior written approval.

• Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account.

• Use this telephone number when creating an account: 01337-1337

• Do not mass create accounts.

• Limit automated scanning to 50 requests per minute.

• We kindly please you to provide detailed reports with reproducible steps. If your report doesn't include enough details to reproduce the issue, the report may be closed as Informative.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we will only examine the first submitted report. All further reports will be closed as Duplicate.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own.

Scope for Web Applications

In-Scope Vulnerabilities

Accepted, in-scope vulnerabilities include, but are not limited to:

• Disclosure of sensitive or personally identifiable information

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

• Server-side or remote code execution (RCE)

• Authentication or authorization flaws, including insecure direct object references and authentication bypass

• Directory traversal

• Injection vulnerabilities, especially SQL and XML injection

• Significant security misconfiguration with a verifiable vulnerability

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope. Those out-of-scope vulnerabilities include, but are not limited to:

• DoS / DDoS attacks

• Brute force attacks

• Rate limiting issues

• Clickjacking on pages with no sensitive actions

• Missing best practices in TLS configuration

• Vulnerabilities on third-party libraries (such as jQuery) without showing specific impact to the target application

• Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset

• Header injections without a specific, demonstrable impact

• Self-XSS and XSS without impact

• Man-in-the-Middle attacks

• Unauthenticated / logout / login CSRF

• Reports about weak password policy

• Lack of secure / HttpOnly flags on non-sensitive cookies

• Lack of captcha

• Lack of multi-factor authentication

• "rel=noopener" or other tab-nabbing issues

• Presence of autocomplete on web forms

• Session timeout

• Software version disclosure

• Enabled HTTP methods

• Issues related to DMARC / DKIM / SPF

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls

• Information disclosure of public or non-protected information

• Vulnerabilities involving stolen credentials or physical access to a device

• Any physical attacks against Natur.com property or data centers

• Social engineering attacks (e.g. phishing, vishing, smishing)

• Please don't send us vulnerability scanner output. If it's a real bug, you must provide steps to reproduce. Any automated reports submitted will be closed without being triaged.

• Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Natur.com. Follow HackerOne's disclosure guidelines.

Thank you for helping keep Natur.com and our customers safe!