52212 policies in database
Link to program      
2021-04-12
Swiss Post logo
Thank
Gift
HOF
Reward

Reward

Swiss Post

05.11.2024 Update :

We are happy to inform you that the scope has been updated for this program. Enjoy testing the new subdomains of *.post.ch!

ABOUT THE PROGRAM

Swiss Post - the world’s best postal service - stands for secure and trustworthy conveyance of information.

In order to meet the highest quality standards, we are constantly mitigating security issues on multiple levels.

We are open to your vulnerability reports, and we will pay out a fair reward for confirmed and in-scope vulnerabilities.

Our aim is to continuously include more scopes of Swiss Post into this program. But we also reserve the right to terminate this program at any time.

PROGRAM RULES

Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.

GENERAL RULES

Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.

Please do not interfere with other hunters’ work when searching for vulnerabilities.

If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).

ELIGIBILITY AND RESPONSIBLE DISCLOSURE

We would like to thank everyone who submits valid reports that help us improve the security of Swiss Post’s IT system. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com.
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code where necessary (see the reporting requirements for the corresponding scope).
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure.

Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.

LEGAL SAFE HARBOR - CONSEQUENCES OF COMPLYING WITH THESE PROGRAM RULES

  • The Swiss Criminal Code classifies any type of hacking as a crime. This section ensures that, security researchers are safe from any prosecution when they act in good faith.
  • Swiss Post will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the program rules.
  • Swiss Post interprets activities by participants that comply with the program rules as authorized access under the Swiss Criminal Code. This includes Swiss Criminal Code Articles 143, 143bis and 144bis.
  • Swiss Post will not file a complaint against participants of this program for trying to circumvent the security measures deployed in order to protect the services in scope as outlined below.
  • If legal action is initiated by a third party against a participant, and the participant has complied with the program rules as outlined in this document, YesWeHack and Swiss Post will take the necessary measures to inform the authorities that such participant’s actions have been conducted in compliance with this policy.
  • Any non-compliance with the program rules may result in exclusion from the bug bounty program.
  • For minor breaches, a warning may be issued. For severe breaches, Swiss Post reserves the right to file criminal charges.

SCOPE

The scope of this bug bounty program includes the following apps, web apps and URIs, as well all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17.

Login & Registration

Here you can create your account for the "Swiss Post Customer Login" and login to the digital world of Swiss Post. Please note that the alternative login with SwissID (https://login.swissid.ch) is out of scope.

Postshop

This is the official online shop of Swiss Post.

My Consignments

Here you can manage your shipments and organize your preferred delivery options.

Address maintenance

This online service provides all Swiss Post services for your addresses on a single platform – from verifying to updating and address management.

Recipient Services

This service gives you access to different recipient services of Swiss Post.

PostApp

The Post-App offers useful support and practical information on Swiss Post services

Billing Online

Billing Online is our payment service that is used within many of our online services.
Two additional use cases that you can acces through your wallet (https://account.post.ch/selfadmin/payment/) are loading your wallet and changing your credit card details.

There are no test credit cards for our productive environments. We suggest using your own credit cards.

For more information, please have a look at the integration guidelines.

Please note that some of the applications may contain links or redirect you out of the URIs described here. This means you are leaving the scope if you follow these links / redirects.

*.post.ch

For anything else that has not yet been mentioned so far, we consider all subdomains of *.post.ch within the net AS12511 and IP Range 194.41.128.0/17 as in scope.

Please make sure to only check vulnerabilities concerning the ports 80 and 443.

Host Port IP range is a valid report
*.post.ch 80 or 443 194.41.128.0/17 (194.41.128.1 - 194.41.255.254)
*.post.ch 80 or 443 other than 194.41.128.0/17 (194.41.128.1 - 194.41.255.254)
*.post.ch other than 80 or 443 194.41.128.0/17 (194.41.128.1 - 194.41.255.254)
other than *.post.ch 80 or 443 194.41.128.0/17 (194.41.128.1 - 194.41.255.254)

Any reports outside of the defined scope or range of this program will not be accepted/rewarded.
You can however report any findings outside of this scope within our VDP.

Subdomain Takeover

At the very core of any organization's web infrastructure lays DNS.
Although this program’s scope is limited, we are appreciative of any help provided on this specific topic.

For the .post.ch domain we are accepting subdomain takeover reports with a fixed reward of 1000€*.
To be eligible, the subdomain takeover must be demonstrated, ideally with the MD5 of your username in a TXT file (i.e. md5(hunter_name).txt) hosted on the vulnerable FQDN.
We won’t qualify hypothetical takeovers nor simple DNS dangling reports.

Reports of leaks and exposed credentials

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

Type of leak Source of leak is in-scope Source of leak belongs to Swiss Post but is out-of-scope Source of leak does not belong to Swiss Post and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.

Peculiarities

  • We reserve the right to use a "OneFixOneReward" rule, i.e., if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the ensuing flaws, only one report will be considered as eligible for a reward and other reports will be closed as informative. However, all reports will be reviewed thoroughly.
  • We reserve the right to consider findings previously reported in the now disabled Swiss Post - "*.post.ch" private program as duplicates due to its legacy.

GL;HF

Happy Hunting!

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US

ios_application

https://apps.apple.com/ch/app/die-post/id378676700

undefined

(.post.ch:80|.post.ch:443) AND 194.41.128.0/17

web_application

https://account.post.ch

web_application

https://shop.post.ch/shop

web_application

https://service.post.ch/ekp-web/

web_application

https://service.post.ch/zopa/app/

web_application

https://service.post.ch/ele-klp/ele/

web_application

https://billingonline.post.ch/OnlinePayment/Web/v1/BOI

Out of Scope

Scope Type Scope Name
undefined

Anything that has not been described as in scope in the previous section is automatically out of scope.

undefined

Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.).

undefined

The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope.

undefined

Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects.

undefined

Any services related to Incamail (for example https://incamail-dev.post.ch (194.41.248.224) and https://incamail-test.post.ch (194.41.248.58))


Firebounty have crawled on 2021-04-12 the program Swiss Post on the platform Yeswehack.

FireBounty © 2015-2024

Legal notices | Privacy policy