At Telenor we recognize the important role that security researchers play in helping to keep Telenor Sverige AB and our customers secure.

By participating in this program you acknowledge that you have read and agreed to these Program Rules.

Scope of this program

We aim to test most of our assets through this program.
Nevertheless, we ask you to read carefully the list of exclusions (Out-of-Scope) before starting; some domains are related to Telenor's customers, these should not be tested and will not be eligible for a reward anyway.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Telenor Sverige AB, however, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
• You must send a clear description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service. (Please respect this, DoS not in scope)
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of Telenor or one of its contractor.
• No vulnerability disclosure, including partial is allowed for the moment.

Bug Submission Requirements

Required information

For all submissions, please include:

Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:

• Videos
• Screenshots
• PoC code
• Traffic logs
• Web/API requests and responses
• Email address or user ID of any test accounts
• IP address used during testing
• For RCE submissions, see below

Remote Code Execution (RCE) Testings and Reporting Guidelines:

Report details must include :

• Source IP address
• Timestamp, including time zone
• Full server request and responses
• Filenames of any uploaded files, which must include “telenor_ywh” and the timestamp
• Callback IP and port, if applicable
• Any data that was accessed, either deliberately or inadvertently

Allowed Actions:

• Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
• Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

• Uploading files that allow arbitrary commands (i.e. a webshell)
• Modifying any files or data, including permissions
• Deleting any files or data
• Interrupting normal operations (e.g. triggering a reboot)
• Creating and maintaining a persistent connection to the server
• Intentionally viewing any files or data beyond what is needed to prove the vulnerability
• Failing to disclose any actions taken or applicable required information

About Cross-Site-Scripting (XSS)

Unless you can demonstrate a specific situation where an XSS becomes a "HIGH" or "CRITICAL" finding, it is likely an XSS vulnerability will score as "MEDIUM".

In this case, and if you want your report to be rewarded as a ‘High’ or ‘Critical’ finding, please provide a realistic, proven and step by step detailed scenario of exploitability, including elements that could be modified through this exploit, or actions that could be undertaken on behalf of targeted user.

For example : XHR request to modify account information and could lead to an account take over.

There is also a certain chance, that similar XSS exploits on different endpoints or parameters are caused by the same underlying input validation weakness. If that is the case, we reserve the right to honor only a single report and to reject the other ones as ‘Duplicate’/’Informative’.

Program Terms

Termination

In the event (i) you breach any of these Program Rules or the terms and conditions of YesWeHack platform; or (ii) Telenor determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Telenor (including, but not limited to, presenting any threat to Telenor’s systems, security, finances and/or reputation) Telenor may immediately terminate your participation in this Bug Bounty Program.

Confidentiality

Any information you receive or collect about Telenor or any Telenor user through this Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Telenor sites, without Telenor’s prior written consent.

Changes to Program Rules

The Bug Bounty Program, including its policies, is subject to change or cancellation by Telenor at any time, without notice. As such, Telenor may amend these Program Rules at any time by posting a revised version on YesWeHack platform. By continuing to participate in the Program after Telenor posts any such changes, you accept the Program Terms, as modified.