Swiss Post - the world’s best postal service - stands for secure and trustworthy conveyance of information.
In order to meet the highest quality standards, we are constantly mitigating security issues on multiple levels.
We are open to your vulnerability reports, and we will pay out a fair reward for confirmed and in-scope vulnerabilities.
Our aim is to continuously include more scopes of Swiss Post into this program. But we also reserve the right to terminate this program at any time.
Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.
Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.
Please do not interfere with other hunters’ work when searching for vulnerabilities.
If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).
We would like to thank everyone who submits valid reports that help us improve the security of Swiss Post’s IT system. However, only those that meet the following eligibility requirements may receive a monetary reward:
Reports on vulnerabilities are examined by our security analysts - our analysis is always based on worst case exploitation & the business criticality of the vulnerability, as is the reward we pay.
The scope of this bug bounty program includes the following apps, web apps and URIs, as well as all the Swiss Post resources directly sourced from these web apps.
Here you can create your account for the "Swiss Post Customer Login" and login to the digital world of Swiss Post. Please note that the alternative login with SwissID (https://login.swissid.ch) is out of scope.
This is the official online shop of Swiss Post.
Here you can manage your shipments and organize your preferred delivery options.
This online service provides all Swiss Post services for your addresses on a single platform – from verifying to updating and address management.
This service gives you access to different recipient services of Swiss Post.
The Post-App offers useful support and practical information on Swiss Post services
Billing Online is our payment service that is used within many of our online services.
Two additional use cases that you can acces through your wallet (https://account.post.ch/selfadmin/payment/) are loading your wallet and changing your credit card details.
There are no test credit cards for our productive environments. We suggest using your own credit cards.
For more information, please have a look at the integration guidelines.
Please note that some of the applications may contain links or redirect you out of the URIs described here. This means you are leaving the scope if you follow these links / redirects.
At the very core of any organization's web infrastructure lays DNS.
A dangling DNS entry is considered to be a DNS record pointing to a different domain/IP which is currently free/unregistered and can be brought in possession of an adversary.
Although this program’s scope is limited, we are appreciative of any help provided on this specific topic.
For the *.post.ch domain we are accepting :
In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
To summarize our policy, you may refer to this table :
Type of leak | Source of leak is in-scope | Source of leak belongs to Swiss Post but is out-of-scope | Source of leak does not belong to Swiss Post and is out-of-scope |
---|---|---|---|
Impact is in-scope (e.g. valid credentials on an in-scope asset) | Eligible | Eligible | Not eligible |
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) | Eligible | Not eligible | Not eligible |
This excludes, but is not limited to:
As a complement to the Program’s rules and testing policy :
GL;HF
Happy Hunting!
Scope Type | Scope Name |
---|---|
android_application | https://play.google.com/store/apps/details?id=com.nth.swisspost&hl=de_CH&gl=US |
ios_application | https://apps.apple.com/ch/app/die-post/id378676700 |
web_application | https://account.post.ch |
web_application | https://shop.post.ch/shop |
web_application | https://service.post.ch/ekp-web/ |
web_application | https://service.post.ch/zopa/app/ |
web_application | https://service.post.ch/ele-klp/ele/ |
web_application | https://billingonline.post.ch/OnlinePayment/Web/v1/BOI |
Scope Type | Scope Name |
---|---|
undefined | Anything that has not been described as in scope in the previous section is automatically out of scope. |
undefined | Attacks on administrative and surrounding systems that are not used for the in-scope services are not permitted (this includes DNS, NTP, routers, systems of the ISP, etc.). |
undefined | The alternative login (https://login.swissid.ch) is out of scope. It also leads to the in-scope service, (https://account.post.ch) but we have designated it as out of scope. |
undefined | Please note that some of the applications may contain links or redirect you away from the URIs described in the scope section. This means you are leaving the scope if you follow these links / redirects. |
Firebounty have crawled on 2021-04-12 the program Swiss Post on the platform Yeswehack.
FireBounty © 2015-2024