At Telenor we recognize the important role that security researchers play in helping to keep Telenor Sverige AB and our customers secure.

By participating in this program you acknowledge that you have read and agreed to these Program Rules.

Scope of this program

We aim to test most of our assets through this program.
Nevertheless, we ask you to read carefully the list of exclusions (Out-of-Scope) before starting; some domains are related to Telenor's customers, these should not be tested and will not be eligible for a reward anyway.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Telenor Sverige AB, however, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
• You must send a clear description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service. (Please respect this, DoS not in scope)
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of Telenor or one of its contractor.
• No vulnerability disclosure, including partial, is allowed. This includes resolved and closed reports.

Required Submission Information

For all submissions, please include a full description of the vulnerability, including exploitability and impact. Also, provide evidence of the issue, such as:

• Videos
• Screenshots
• PoC code
• Traffic logs
• Web/API requests and responses
• Email/user ID of test accounts
• IP address used during testing
• For RCE reports, see the RCE Rules section below

Reports of leaks and exposed credentials

We are open to some types of reports related to exposed secrets, credentials or information.

Please pay attention to our list of Qualifying/Non-Qualifying vulnerabilities, as well as our Scope and the following rules.

In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behaviour (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials on an out-of-scope assets
• Exposed GitHub/GitLab (or similar) instance
• Exposed secrets (e.g. API tokens/keys or other technical credentials)
• Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Remote Code Execution (RCE) and Cross-Site Scripting (XSS):

RCE Rules

Allowed Actions:

• Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
• Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

• Uploading files that allow arbitrary commands (i.e. a webshell)
• Modifying any files or data, including permissions
• Deleting any files or data
• Interrupting normal operations (e.g. triggering a reboot)
• Creating and maintaining a persistent connection to the server
• Intentionally viewing any files or data beyond what is needed to prove the vulnerability
• Failing to disclose any actions taken or applicable required information

For reports, please include:

• Source IP and timestamp (with time zone)
• Server request and responses
• Filenames of any uploaded files, which must include “telenor_ywh” and the timestamp
• Callback IP and port (if applicable)
• Any data accessed (deliberately or inadvertently)

About XSS

Unless you can demonstrate a specific situation where an XSS becomes a "HIGH" or "CRITICAL" finding, it is likely an XSS vulnerability will score as "MEDIUM".

In this case, and if you want your report to be rewarded as a ‘High’ or ‘Critical’ finding, please provide a realistic, proven and step by step detailed scenario of exploitability, including elements that could be modified through this exploit, or actions that could be undertaken on behalf of targeted user.

For example : XHR request to modify account information and could lead to an account take over.

There is also a certain chance, that similar XSS exploits on different endpoints or parameters are caused by the same underlying input validation weakness. If that is the case, we reserve the right to honor only a single report and to reject the other ones as ‘Duplicate’/’Informative’.

Program Terms

Termination

In the event (i) you breach any of these Program Rules or the terms and conditions of YesWeHack platform; or (ii) Telenor determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Telenor (including, but not limited to, presenting any threat to Telenor’s systems, security, finances and/or reputation) Telenor may immediately terminate your participation in this Bug Bounty Program.

Confidentiality

Any information you receive or collect about Telenor or any Telenor user through this Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Telenor sites, without Telenor’s prior written consent.

Changes to Program Rules

The Bug Bounty Program, including its policies, is subject to change or cancellation by Telenor at any time, without notice. As such, Telenor may amend these Program Rules at any time by posting a revised version on YesWeHack platform. By continuing to participate in the Program after Telenor posts any such changes, you accept the Program Terms, as modified.

Contact

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please reach out to yeswehack@telenor.se before going any further.