We are happy to inform you that the scope has been updated for this program. Enjoy testing the new subdomains of *.post.ch!
Swiss Post - the world’s best postal service - stands for secure and trustworthy conveyance of information.
In order to meet the highest quality standards, we are constantly mitigating security issues on multiple levels.
We are open to your vulnerability reports, and we will pay out a fair reward for confirmed and in-scope vulnerabilities.
Our aim is to continuously include more scopes of Swiss Post into this program. But we also reserve the right to terminate this program at any time.
Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.
Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.
Please do not interfere with other hunters’ work when searching for vulnerabilities.
If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).
We would like to thank everyone who submits valid reports that help us improve the security of Swiss Post’s IT system. However, only those that meet the following eligibility requirements may receive a monetary reward:
Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.
The scope of this bug bounty program includes the following apps, web apps and URIs, as well all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17.
Here you can create your account for the "Swiss Post Customer Login" and login to the digital world of Swiss Post. Please note that the alternative login with SwissID (https://login.swissid.ch) is out of scope.
This is the official online shop of Swiss Post.
Here you can manage your shipments and organize your preferred delivery options.
This online service provides all Swiss Post services for your addresses on a single platform – from verifying to updating and address management.
This service gives you access to different recipient services of Swiss Post.
The Post-App offers useful support and practical information on Swiss Post services
Billing Online is our payment service that is used within many of our online services.
Two additional use cases that you can acces through your wallet (https://account.post.ch/selfadmin/payment/) are loading your wallet and changing your credit card details.
There are no test credit cards for our productive environments. We suggest using your own credit cards.
For more information, please have a look at the integration guidelines.
Please note that some of the applications may contain links or redirect you out of the URIs described here. This means you are leaving the scope if you follow these links / redirects.
For anything else that has not yet been mentioned so far, we consider all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17 as in scope.
Please make sure to only check vulnerabilities concerning the ports 80 and 443.
Host | Port | IP range | is a valid report |
---|---|---|---|
*.post.ch | 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) | ✅ |
*.post.ch | 80 or 443 | other than 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) | ❌ |
*.post.ch | other than 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) | ❌ |
other than *.post.ch | 80 or 443 | 194.41.128.0/17 (194.41.128.1 - 194.41.255.254) | ❌ |
Any reports outside of the defined scope or range of this program will not be accepted/rewarded.
You can however report any findings outside of this scope within our VDP.
At the very core of any organization's web infrastructure lays DNS.
Although this program’s scope is limited, we are appreciative of any help provided on this specific topic.
For the .post.ch domain we are accepting subdomain takeover reports with a fixed reward of 1000€*.
To be eligible, the subdomain takeover must be demonstrated, ideally with the MD5 of your username in a TXT file (i.e. md5(hunter_name).txt) hosted on the vulnerable FQDN.
We won’t qualify hypothetical takeovers nor simple DNS dangling reports.
In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
To summarize our policy, you may refer to this table :
Type of leak | Source of leak is in-scope | Source of leak belongs to Swiss Post but is out-of-scope | Source of leak does not belong to Swiss Post and is out-of-scope |
---|---|---|---|
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not eligible | Not eligible |
This excludes, but is not limited to:
As a complement to the Program’s rules and testing policy :
GL;HF
Happy Hunting!
Scope Type | Scope Name |
---|---|
android_application | https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US |
ios_application | https://apps.apple.com/ch/app/die-post/id378676700 |
undefined | (.post.ch:80|.post.ch:443) AND 194.41.128.0/17 |
web_application | https://account.post.ch |
web_application | https://shop.post.ch/shop |
web_application | https://service.post.ch/ekp-web/ |
web_application | https://service.post.ch/zopa/app/ |
web_application | https://service.post.ch/ele-klp/ele/ |
web_application | https://billingonline.post.ch/OnlinePayment/Web/v1/BOI |
Scope Type | Scope Name |
---|---|
undefined | Anything that has not been described as in scope in the previous section is automatically out of scope. |
undefined | Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.). |
undefined | The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope. |
undefined | Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects. |
undefined | Any services related to Incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58)) |
Firebounty have crawled on 2021-04-12 the program Swiss Post on the platform Yeswehack.
FireBounty © 2015-2024